Guide to the Secure Configuration of Red Hat Enterprise Linux 8

with profile CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Server
This profile defines a baseline that aligns to the "Level 2 - Server" configuration from the Center for Internet Security® Red Hat Enterprise Linux 8 Benchmark™, v2.0.0, released 2022-02-23. This profile includes Center for Internet Security® Red Hat Enterprise Linux 8 CIS Benchmarks™ content.
This guide presents a catalog of security-relevant configuration settings for Red Hat Enterprise Linux 8. It is a rendering of content structured in the eXtensible Configuration Checklist Description Format (XCCDF) in order to support security automation. The SCAP content is is available in the scap-security-guide package which is developed at https://www.open-scap.org/security-policies/scap-security-guide.

Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG, which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance.
Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. The creators of this guidance assume no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic.

Evaluation Characteristics

Evaluation targetciclvl2-rhel84
Benchmark URL/tmp/ssg-rhel8-ds.xml
Benchmark IDxccdf_org.ssgproject.content_benchmark_RHEL-8
Benchmark version0.1.64
Profile IDxccdf_org.ssgproject.content_profile_cis
Started at2022-11-07T15:05:07+00:00
Finished at2022-11-07T15:05:53+00:00
Performed byazureuser
Test systemcpe:/a:redhat:openscap:1.3.4

CPE Platforms

  • cpe:/o:redhat:enterprise_linux:8
  • cpe:/o:redhat:enterprise_linux:8.4
  • cpe:/o:redhat:enterprise_linux:8.0
  • cpe:/o:redhat:enterprise_linux:8.1
  • cpe:/o:redhat:enterprise_linux:8.2
  • cpe:/o:redhat:enterprise_linux:8.3
  • cpe:/o:redhat:enterprise_linux:8.5
  • cpe:/o:redhat:enterprise_linux:8.6
  • cpe:/o:redhat:enterprise_linux:8.7
  • cpe:/o:redhat:enterprise_linux:8.8
  • cpe:/o:redhat:enterprise_linux:8.9
  • cpe:/o:redhat:enterprise_linux:8.10

Addresses

  • IPv4  127.0.0.1
  • IPv4  10.0.0.12
  • IPv6  0:0:0:0:0:0:0:1
  • IPv6  fe80:0:0:0:6245:bdff:fec2:b9
  • MAC  00:00:00:00:00:00
  • MAC  60:45:BD:C2:00:B9

Compliance and Scoring

The target system did not satisfy the conditions of 19 rules! Please review rule results and consider applying remediation.

Rule results

261 passed
19 failed
1 other

Severity of failed rules

0 other
3 low
15 medium
1 high

Score

Scoring systemScoreMaximumPercent
urn:xccdf:scoring:default93.864449100.000000
93.86%

Rule Overview

Group rules by:
TitleSeverityResult
Guide to the Secure Configuration of Red Hat Enterprise Linux 8 19x fail 1x notchecked
System Settings 19x fail 1x notchecked
Installing and Maintaining Software 8x fail
System and Software Integrity 3x fail
Software Integrity Checking 3x fail
Verify Integrity with AIDE 3x fail
Install AIDEmedium
fail
Build and Test AIDE Databasemedium
fail
Configure Periodic Execution of AIDEmedium
fail
System Cryptographic Policies
Configure System Cryptography Policyhigh
pass
Configure SSH to use System Crypto Policymedium
pass
Disk Partitioning 3x fail
Ensure /home Located On Separate Partitionlow
pass
Ensure /tmp Located On Separate Partitionlow
pass
Ensure /var Located On Separate Partitionlow
pass
Ensure /var/log Located On Separate Partitionlow
fail
Ensure /var/log/audit Located On Separate Partitionlow
fail
Ensure /var/tmp Located On Separate Partitionmedium
fail
GNOME Desktop Environment
Make sure that the dconf databases are up-to-date with regards to respective keyfileshigh
notapplicable
Sudo 2x fail
Install sudo Packagemedium
pass
Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_ptymedium
pass
Ensure Sudo Logfile Exists - sudo logfilelow
fail
Ensure Users Re-Authenticate for Privilege Escalation - sudomedium
fail
The operating system must require Re-Authentication when using the sudo command. Ensure sudo timestamp_timeout is appropriate - sudo timestamp_timeoutmedium
pass
Updating Software
Ensure gpgcheck Enabled In Main yum Configurationhigh
pass
Account and Access Control 2x fail
Warning Banners for System Accesses 1x fail
Enable GNOME3 Login Warning Bannermedium
notapplicable
Modify the System Login Bannermedium
fail
Modify the System Message of the Day Bannermedium
pass
Verify Group Ownership of System Login Bannermedium
pass
Verify Group Ownership of Message of the Day Bannermedium
pass
Verify ownership of System Login Bannermedium
pass
Verify ownership of Message of the Day Bannermedium
pass
Verify permissions on System Login Bannermedium
pass
Verify permissions on Message of the Day Bannermedium
pass
Protect Accounts by Configuring PAM
Set Lockouts for Failed Password Attempts
Limit Password Reuse: password-authmedium
pass
Limit Password Reuse: system-authmedium
pass
Lock Accounts After Failed Password Attemptsmedium
pass
Set Lockout Time for Failed Password Attemptsmedium
pass
Set Password Quality Requirements
Set Password Quality Requirements with pam_pwquality
Ensure PAM Enforces Password Requirements - Minimum Different Categoriesmedium
pass
Ensure PAM Enforces Password Requirements - Minimum Lengthmedium
pass
Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Sessionmedium
pass
Set Password Hashing Algorithm
Set PAM''s Password Hashing Algorithm - password-authmedium
pass
Set PAM''s Password Hashing Algorithmmedium
pass
Protect Physical Console Access
Require Authentication for Emergency Systemd Targetmedium
pass
Require Authentication for Single User Modemedium
pass
Protect Accounts by Restricting Password-Based Login 1x fail
Set Password Expiration Parameters 1x fail
Set Existing Passwords Maximum Agemedium
pass
Set Existing Passwords Minimum Agemedium
fail
Verify Proper Storage and Existence of Password Hashes
All GIDs referenced in /etc/passwd must be defined in /etc/grouplow
pass
Ensure There Are No Accounts With Blank or Null Passwordshigh
pass
Verify No netrc Files Existmedium
pass
Restrict Root Logins
Verify Only Root Has UID 0high
pass
Verify Root Has A Primary GID 0high
pass
Ensure that System Accounts Do Not Run a Shell Upon Loginmedium
pass
Enforce usage of pam_wheel for su authenticationmedium
pass
Ensure All Groups on the System Have Unique Group IDmedium
pass
Ensure All Groups on the System Have Unique Group Namesmedium
pass
Secure Session Configuration Files for Login Accounts
Ensure that No Dangerous Directories Exist in Root's Path
Ensure that Root's Path Does Not Include World or Group-Writable Directoriesmedium
pass
Ensure that Root's Path Does Not Include Relative Paths or Null Directoriesunknown
pass
Ensure that Users Have Sensible Umask Values
Ensure the Default Bash Umask is Set Correctlymedium
pass
Ensure the Default Umask is Set Correctly in /etc/profilemedium
pass
Set Interactive Session Timeoutmedium
pass
User Initialization Files Must Not Run World-Writable Programsmedium
pass
All Interactive Users Home Directories Must Existmedium
pass
All Interactive User Home Directories Must Be Group-Owned By The Primary Usermedium
pass
All Interactive User Home Directories Must Be Owned By The Primary Usermedium
pass
All Interactive User Home Directories Must Have mode 0750 Or Less Permissivemedium
pass
Enable authselectmedium
pass
System Accounting with auditd
Configure auditd Rules for Comprehensive Auditing
Record Events that Modify the System's Discretionary Access Controls
Record Events that Modify the System's Discretionary Access Controls - chmodmedium
pass
Record Events that Modify the System's Discretionary Access Controls - chownmedium
pass
Record Events that Modify the System's Discretionary Access Controls - fchmodmedium
pass
Record Events that Modify the System's Discretionary Access Controls - fchmodatmedium
pass
Record Events that Modify the System's Discretionary Access Controls - fchownmedium
pass
Record Events that Modify the System's Discretionary Access Controls - fchownatmedium
pass
Record Events that Modify the System's Discretionary Access Controls - fremovexattrmedium
pass
Record Events that Modify the System's Discretionary Access Controls - fsetxattrmedium
pass
Record Events that Modify the System's Discretionary Access Controls - lchownmedium
pass
Record Events that Modify the System's Discretionary Access Controls - lremovexattrmedium
pass
Record Events that Modify the System's Discretionary Access Controls - lsetxattrmedium
pass
Record Events that Modify the System's Discretionary Access Controls - removexattrmedium
pass
Record Events that Modify the System's Discretionary Access Controls - setxattrmedium
pass
Record File Deletion Events by User
Ensure auditd Collects File Deletion Events by User - renamemedium
pass
Ensure auditd Collects File Deletion Events by User - renameatmedium
pass
Ensure auditd Collects File Deletion Events by User - unlinkatmedium
pass
Record Unauthorized Access Attempts Events to Files (unsuccessful)
Record Unsuccessful Access Attempts to Files - creatmedium
pass
Record Unsuccessful Access Attempts to Files - ftruncatemedium
pass
Record Unsuccessful Access Attempts to Files - openmedium
pass
Record Unsuccessful Access Attempts to Files - openatmedium
pass
Record Unsuccessful Access Attempts to Files - truncatemedium
pass
Record Information on Kernel Modules Loading and Unloading
Ensure auditd Collects Information on Kernel Module Unloading - delete_modulemedium
pass
Ensure auditd Collects Information on Kernel Module Loading - init_modulemedium
pass
Records Events that Modify Date and Time Information
Record attempts to alter time through adjtimexmedium
pass
Record Attempts to Alter Time Through clock_settimemedium
pass
Record Attempts to Alter Time Through stimemedium
pass
Record Attempts to Alter the localtime Filemedium
pass
Make the auditd Configuration Immutablemedium
pass
Record Events that Modify the System's Mandatory Access Controlsmedium
pass
Ensure auditd Collects Information on Exporting to Media (successful)medium
pass
Record Events that Modify the System's Network Environmentmedium
pass
Record Attempts to Alter Process and Session Initiation Informationmedium
pass
Ensure auditd Collects System Administrator Actionsmedium
pass
Record Events that Modify User/Group Information - /etc/groupmedium
pass
Record Events that Modify User/Group Information - /etc/gshadowmedium
pass
Record Events that Modify User/Group Information - /etc/security/opasswdmedium
pass
Record Events that Modify User/Group Information - /etc/passwdmedium
pass
Record Events that Modify User/Group Information - /etc/shadowmedium
pass
Configure auditd Data Retention
Configure auditd mail_acct Action on Low Disk Spacemedium
pass
Configure auditd admin_space_left Action on Low Disk Spacemedium
pass
Configure auditd Max Log File Sizemedium
pass
Configure auditd max_log_file_action Upon Reaching Maximum Log Sizemedium
pass
Configure auditd space_left Action on Low Disk Spacemedium
pass
Ensure the audit Subsystem is Installedmedium
pass
Enable auditd Servicemedium
pass
Enable Auditing for Processes Which Start Prior to the Audit Daemonmedium
pass
Extend Audit Backlog Limit for the Audit Daemonlow
pass
GRUB2 bootloader configuration 1x fail
Non-UEFI GRUB2 bootloader configuration
Verify /boot/grub2/grub.cfg Group Ownershipmedium
notapplicable
Verify /boot/grub2/grub.cfg User Ownershipmedium
notapplicable
Verify /boot/grub2/grub.cfg Permissionsmedium
notapplicable
Set Boot Loader Password in grub2high
notapplicable
UEFI GRUB2 bootloader configuration 1x fail
Verify the UEFI Boot Loader grub.cfg Group Ownershipmedium
pass
Verify the UEFI Boot Loader grub.cfg User Ownershipmedium
pass
Verify the UEFI Boot Loader grub.cfg Permissionsmedium
pass
Set the UEFI Boot Loader Passwordhigh
fail
Configure Syslog
Ensure Proper Configuration of Log Files
Ensure System Log Files Have Correct Permissionsmedium
pass
systemd-journald
Enable systemd-journald Servicemedium
pass
Ensure journald is configured to compress large log filesmedium
pass
Ensure journald is configured to send logs to rsyslogmedium
pass
Ensure journald is configured to write log files to persistent diskmedium
pass
Ensure rsyslog is Installedmedium
pass
Enable rsyslog Servicemedium
pass
Network Configuration and Firewalls 1x fail 1x notchecked
firewalld 1x fail
Inspect and Activate Default firewalld Rules
Install firewalld Packagemedium
pass
Verify firewalld Enabledmedium
pass
Strengthen the Default Ruleset 1x fail
Set Default firewalld Zone for Incoming Packetsmedium
fail
iptables and ip6tables 1x notchecked
Inspect and Activate Default Rules 1x notchecked
Set Default ip6tables Policy for Incoming Packetsmedium
notchecked
IPv6
Configure IPv6 Settings if Necessary
Configure Accepting Router Advertisements on All IPv6 Interfacesmedium
pass
Disable Accepting ICMP Redirects for All IPv6 Interfacesmedium
pass
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfacesmedium
pass
Disable Kernel Parameter for IPv6 Forwardingmedium
pass
Disable Accepting Router Advertisements on all IPv6 Interfaces by Defaultmedium
pass
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfacesmedium
pass
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Defaultmedium
pass
Kernel Parameters Which Affect Networking
Network Related Kernel Runtime Parameters for Hosts and Routers
Disable Accepting ICMP Redirects for All IPv4 Interfacesmedium
pass
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfacesmedium
pass
Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfacesunknown
pass
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfacesmedium
pass
Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfacesmedium
pass
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfacesmedium
pass
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Defaultmedium
pass
Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Defaultunknown
pass
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Defaultmedium
pass
Configure Kernel Parameter for Accepting Secure Redirects By Defaultmedium
pass
Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfacesmedium
pass
Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfacesunknown
pass
Enable Kernel Parameter to Use TCP Syncookies on Network Interfacesmedium
pass
Network Parameters for Hosts Only
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfacesmedium
pass
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Defaultmedium
pass
Disable Kernel Parameter for IP Forwarding on IPv4 Interfacesmedium
pass
Uncommon Network Protocols
Disable DCCP Supportmedium
pass
Disable SCTP Supportmedium
pass
Wireless Networking
Disable Wireless Through Software Configuration
Deactivate Wireless Network Interfacesmedium
notapplicable
File Permissions and Masks 6x fail
Verify Permissions on Important Files and Directories
Verify Group Who Owns Backup group Filemedium
pass
Verify Group Who Owns Backup gshadow Filemedium
pass
Verify Group Who Owns Backup passwd Filemedium
pass
Verify User Who Owns Backup shadow Filemedium
pass
Verify Group Who Owns group Filemedium
pass
Verify Group Who Owns gshadow Filemedium
pass
Verify Group Who Owns passwd Filemedium
pass
Verify Group Who Owns shadow Filemedium
pass
Verify User Who Owns Backup group Filemedium
pass
Verify User Who Owns Backup gshadow Filemedium
pass
Verify User Who Owns Backup passwd Filemedium
pass
Verify Group Who Owns Backup shadow Filemedium
pass
Verify User Who Owns group Filemedium
pass
Verify User Who Owns gshadow Filemedium
pass
Verify User Who Owns passwd Filemedium
pass
Verify User Who Owns shadow Filemedium
pass
Verify Permissions on Backup group Filemedium
pass
Verify Permissions on Backup gshadow Filemedium
pass
Verify Permissions on Backup passwd Filemedium
pass
Verify Permissions on Backup shadow Filemedium
pass
Verify Permissions on group Filemedium
pass
Verify Permissions on gshadow Filemedium
pass
Verify Permissions on passwd Filemedium
pass
Verify Permissions on shadow Filemedium
pass
Verify that All World-Writable Directories Have Sticky Bits Setmedium
pass
Ensure No World-Writable Files Existmedium
pass
Ensure All Files Are Owned by a Groupmedium
pass
Ensure All Files Are Owned by a Usermedium
pass
Restrict Dynamic Mounting and Unmounting of Filesystems
Disable the Automountermedium
pass
Disable Mounting of cramfslow
pass
Disable Mounting of squashfslow
pass
Disable Mounting of udflow
pass
Disable Modprobe Loading of USB Storage Drivermedium
pass
Restrict Partition Mount Options 6x fail
Add nodev Option to /dev/shmmedium
pass
Add noexec Option to /dev/shmmedium
pass
Add nosuid Option to /dev/shmmedium
pass
Add nodev Option to /homeunknown
pass
Add nosuid Option to /homemedium
pass
Add nodev Option to /tmpmedium
pass
Add noexec Option to /tmpmedium
pass
Add nosuid Option to /tmpmedium
pass
Add nodev Option to /var/log/auditmedium
fail
Add noexec Option to /var/log/auditmedium
fail
Add nosuid Option to /var/log/auditmedium
fail
Add nodev Option to /var/logmedium
fail
Add noexec Option to /var/logmedium
fail
Add nosuid Option to /var/logmedium
fail
Add nodev Option to /varmedium
pass
Add noexec Option to /varmedium
pass
Add nosuid Option to /varunknown
pass
Add nodev Option to /var/tmpmedium
notapplicable
Add noexec Option to /var/tmpmedium
notapplicable
Add nosuid Option to /var/tmpmedium
notapplicable
Restrict Programs from Dangerous Execution Patterns
Disable Core Dumps
Disable core dump backtracesmedium
pass
Disable storing core dumpmedium
pass
Enable ExecShield
Enable Randomized Layout of Virtual Address Spacemedium
pass
SELinux 1x fail
Install libselinux Packagehigh
pass
Uninstall mcstrans Packagelow
pass
Uninstall setroubleshoot Packagelow
pass
Ensure SELinux Not Disabled in /etc/default/grubmedium
pass
Ensure No Daemons are Unconfined by SELinuxmedium
fail
Configure SELinux Policymedium
pass
Ensure SELinux State is Enforcingmedium
pass
Services
Cron and At Daemons
Restrict at and cron to Authorized Users if Necessary
Ensure that /etc/at.deny does not existmedium
pass
Ensure that /etc/cron.deny does not existmedium
pass
Verify Group Who Owns /etc/at.allow filemedium
pass
Verify Group Who Owns /etc/cron.allow filemedium
pass
Verify User Who Owns /etc/cron.allow filemedium
pass
Verify Permissions on /etc/at.allow filemedium
pass
Verify Permissions on /etc/cron.allow filemedium
pass
Enable cron Servicemedium
pass
Verify Group Who Owns cron.dmedium
pass
Verify Group Who Owns cron.dailymedium
pass
Verify Group Who Owns cron.hourlymedium
pass
Verify Group Who Owns cron.monthlymedium
pass
Verify Group Who Owns cron.weeklymedium
pass
Verify Group Who Owns Crontabmedium
pass
Verify Owner on cron.dmedium
pass
Verify Owner on cron.dailymedium
pass
Verify Owner on cron.hourlymedium
pass
Verify Owner on cron.monthlymedium
pass
Verify Owner on cron.weeklymedium
pass
Verify Owner on crontabmedium
pass
Verify Permissions on cron.dmedium
pass
Verify Permissions on cron.dailymedium
pass
Verify Permissions on cron.hourlymedium
pass
Verify Permissions on cron.monthlymedium
pass
Verify Permissions on cron.weeklymedium
pass
Verify Permissions on crontabmedium
pass
FTP Server
Disable vsftpd if Possible
Uninstall vsftpd Packagehigh
pass
Web Server
Disable Apache if Possible
Uninstall httpd Packageunknown
pass
IMAP and POP3 Server
Disable Dovecot
Uninstall dovecot Packageunknown
pass
LDAP
Configure OpenLDAP Clients
Ensure LDAP client is not installedlow
pass
Mail Server Software
Configure SMTP For Mail Clients
Disable Postfix Network Listeningmedium
notapplicable
NFS and RPC
Configure NFS Clients
Disable NFS Server Daemons
Disable Network File System (nfs)unknown
pass
Network Time Protocol
Ensure that chronyd is running under chrony user accountmedium
pass
A remote time server for Chrony is configuredmedium
pass
Obsolete Services
Xinetd
Uninstall xinetd Packagelow
pass
NIS
Remove NIS Clientunknown
pass
Uninstall ypserv Packagehigh
pass
Rlogin, Rsh, and Rexec
Uninstall rsh Packageunknown
pass
Remove Rsh Trust Fileshigh
pass
Chat/Messaging Services
Uninstall talk Packagemedium
pass
Telnet
Uninstall telnet-server Packagehigh
pass
Remove telnet Clientslow
pass
TFTP Server
Uninstall tftp-server Packagehigh
pass
Remove tftp Daemonlow
pass
Proxy Server
Disable Squid if Possible
Uninstall squid Packageunknown
pass
Samba(SMB) Microsoft Windows File Sharing Server
Disable Samba if Possible
Uninstall Samba Packageunknown
pass
SNMP Server
Disable SNMP Server if Possible
Uninstall net-snmp Packageunknown
pass
SSH Server
Configure OpenSSH Server if Necessary
Set SSH Client Alive Count Maxmedium
pass
Set SSH Idle Timeout Intervalmedium
pass
Disable Host-Based Authenticationmedium
pass
Disable SSH Access via Empty Passwordshigh
pass
Disable SSH Support for .rhosts Filesmedium
pass
Disable SSH TCP Forwardingmedium
pass
Disable X11 Forwardingmedium
pass
Do Not Allow SSH Environment Optionsmedium
pass
Enable PAMmedium
pass
Set SSH Daemon LogLevel to VERBOSEmedium
pass
Set SSH authentication attempt limitmedium
pass
Set SSH MaxSessions limitmedium
pass
Ensure SSH MaxStartups is configuredmedium
pass
Verify Group Who Owns SSH Server config filemedium
pass
Verify Owner on SSH Server config filemedium
pass
Verify Permissions on SSH Server config filemedium
pass
Verify Permissions on SSH Server Public *.pub Key Filesmedium
pass
X Window System
Disable X Windows
Remove the X Windows Package Groupmedium
pass

Result Details

Install AIDExccdf_org.ssgproject.content_rule_package_aide_installed mediumCCE-80844-4

Install AIDE

Rule IDxccdf_org.ssgproject.content_rule_package_aide_installed
Result
fail
Multi-check ruleno
OVAL Definition IDoval:ssg-package_aide_installed:def:1
Time2022-11-07T15:05:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80844-4

References:  BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-002696, CCI-002699, CCI-001744, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, 1034, 1288, 1341, 1417, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000445-GPOS-00199, RHEL-08-010359, 1.3.1, SV-251710r809354_rule

Description
The aide package can be installed with the following command:
$ sudo yum install aide
Rationale
The AIDE package must be installed if it is to be available for integrity checking.

Complexity:low
Disruption:low
Reboot:false
Strategy:enable

package --add=aide

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
include install_aide

class install_aide {
  package { 'aide':
    ensure => 'installed',
  }
}

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
- name: Ensure aide is installed
  package:
    name: aide
    state: present
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-80844-4
  - CJIS-5.10.1.3
  - DISA-STIG-RHEL-08-010359
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-11.5
  - enable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - package_aide_installed


[[packages]]
name = "aide"
version = "*"

Complexity:low
Disruption:low
Reboot:false
Strategy:enable
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

if ! rpm -q --quiet "aide" ; then
    yum install -y "aide"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi
OVAL test results details

package aide is installed  oval:ssg-test_package_aide_installed:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_aide_installed:obj:1 of type rpminfo_object
Name
aide
Build and Test AIDE Databasexccdf_org.ssgproject.content_rule_aide_build_database mediumCCE-80675-2

Build and Test AIDE Database

Rule IDxccdf_org.ssgproject.content_rule_aide_build_database
Result
fail
Multi-check ruleno
OVAL Definition IDoval:ssg-aide_build_database:def:1
Time2022-11-07T15:05:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80675-2

References:  BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, 1.3.1

Description
Run the following command to generate a new database:
$ sudo /usr/sbin/aide --init
By default, the database will be written to the file /var/lib/aide/aide.db.new.gz. Storing the database, the configuration file /etc/aide.conf, and the binary /usr/sbin/aide (or hashes of these files), in a secure location (such as on read-only media) provides additional assurance about their integrity. The newly-generated database can be installed as follows:
$ sudo cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
To initiate a manual check, run the following command:
$ sudo /usr/sbin/aide --check
If this check produces any unexpected output, investigate.
Rationale
For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files.

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Ensure AIDE is installed
  package:
    name: '{{ item }}'
    state: present
  with_items:
  - aide
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-80675-2
  - CJIS-5.10.1.3
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-11.5
  - aide_build_database
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Build and Test AIDE Database
  command: /usr/sbin/aide --init
  changed_when: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-80675-2
  - CJIS-5.10.1.3
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-11.5
  - aide_build_database
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Check whether the stock AIDE Database exists
  stat:
    path: /var/lib/aide/aide.db.new.gz
  register: aide_database_stat
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-80675-2
  - CJIS-5.10.1.3
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-11.5
  - aide_build_database
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Stage AIDE Database
  copy:
    src: /var/lib/aide/aide.db.new.gz
    dest: /var/lib/aide/aide.db.gz
    backup: true
    remote_src: true
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - (aide_database_stat.stat.exists is defined and aide_database_stat.stat.exists)
  tags:
  - CCE-80675-2
  - CJIS-5.10.1.3
  - NIST-800-53-CM-6(a)
  - PCI-DSS-Req-11.5
  - aide_build_database
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

if ! rpm -q --quiet "aide" ; then
    yum install -y "aide"
fi

/usr/sbin/aide --init
/bin/cp -p /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi
OVAL test results details

package aide is installed  oval:ssg-test_package_aide_installed:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_aide_installed:obj:1 of type rpminfo_object
Name
aide

Testing existence of new aide database file  oval:ssg-test_aide_build_new_database_absolute_path:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_aide_build_new_database_absolute_path:obj:1 of type file_object
Filepath
Referenced variable has no values (oval:ssg-variable_aide_build_new_database_absolute_path:var:1).

Testing existence of operational aide database file  oval:ssg-test_aide_operational_database_absolute_path:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_aide_operational_database_absolute_path:obj:1 of type file_object
Filepath
Referenced variable has no values (oval:ssg-variable_aide_operational_database_absolute_path:var:1)
Configure Periodic Execution of AIDExccdf_org.ssgproject.content_rule_aide_periodic_cron_checking mediumCCE-80676-0

Configure Periodic Execution of AIDE

Rule IDxccdf_org.ssgproject.content_rule_aide_periodic_cron_checking
Result
fail
Multi-check ruleno
OVAL Definition IDoval:ssg-aide_periodic_cron_checking:def:1
Time2022-11-07T15:05:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80676-0

References:  BP28(R51), 1, 11, 12, 13, 14, 15, 16, 2, 3, 5, 7, 8, 9, 5.10.1.3, APO01.06, BAI01.06, BAI02.01, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS04.07, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.02, DSS06.06, CCI-001744, CCI-002699, CCI-002702, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 4.1, SR 6.2, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.4.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.14.2.7, A.15.2.1, A.8.2.3, SI-7, SI-7(1), CM-6(a), DE.CM-1, DE.CM-7, PR.DS-1, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, Req-11.5, SRG-OS-000363-GPOS-00150, SRG-OS-000446-GPOS-00200, SRG-OS-000447-GPOS-00201, 1.3.2

Description
At a minimum, AIDE should be configured to run a weekly scan. To implement a daily execution of AIDE at 4:05am using cron, add the following line to /etc/crontab:
05 4 * * * root /usr/sbin/aide --check
To implement a weekly execution of AIDE at 4:05am using cron, add the following line to /etc/crontab:
05 4 * * 0 root /usr/sbin/aide --check
AIDE can be executed periodically through other means; this is merely one example. The usage of cron's special time codes, such as @daily and @weekly is acceptable.
Rationale
By default, AIDE does not install itself for periodic execution. Periodically running AIDE is necessary to reveal unexpected changes in installed files.

Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating system. Changes to operating system configurations can have unintended side effects, some of which may be relevant to security.

Detecting such changes and providing an automated response can help avoid unintended, negative consequences that could ultimately affect the security state of the operating system. The operating system's Information Management Officer (IMO)/Information System Security Officer (ISSO) and System Administrators (SAs) must be notified via email and/or monitoring system trap when there is an unauthorized modification of a configuration item.

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Ensure AIDE is installed
  package:
    name: '{{ item }}'
    state: present
  with_items:
  - aide
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-80676-0
  - CJIS-5.10.1.3
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SI-7
  - NIST-800-53-SI-7(1)
  - PCI-DSS-Req-11.5
  - aide_periodic_cron_checking
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Set cron package name - RedHat
  set_fact:
    cron_pkg_name: cronie
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - ansible_os_family == "RedHat" or ansible_os_family == "Suse"
  tags:
  - CCE-80676-0
  - CJIS-5.10.1.3
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SI-7
  - NIST-800-53-SI-7(1)
  - PCI-DSS-Req-11.5
  - aide_periodic_cron_checking
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Set cron package name - Debian
  set_fact:
    cron_pkg_name: cron
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - ansible_os_family == "Debian"
  tags:
  - CCE-80676-0
  - CJIS-5.10.1.3
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SI-7
  - NIST-800-53-SI-7(1)
  - PCI-DSS-Req-11.5
  - aide_periodic_cron_checking
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Install cron
  package:
    name: '{{ cron_pkg_name }}'
    state: present
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-80676-0
  - CJIS-5.10.1.3
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SI-7
  - NIST-800-53-SI-7(1)
  - PCI-DSS-Req-11.5
  - aide_periodic_cron_checking
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Configure Periodic Execution of AIDE
  cron:
    name: run AIDE check
    minute: 5
    hour: 4
    weekday: 0
    user: root
    job: /usr/sbin/aide --check
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-80676-0
  - CJIS-5.10.1.3
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SI-7
  - NIST-800-53-SI-7(1)
  - PCI-DSS-Req-11.5
  - aide_periodic_cron_checking
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

if ! rpm -q --quiet "aide" ; then
    yum install -y "aide"
fi

if ! grep -q "/usr/sbin/aide --check" /etc/crontab ; then
    echo "05 4 * * * root /usr/sbin/aide --check" >> /etc/crontab
else
    sed -i '\!^.* --check.*$!d' /etc/crontab
    echo "05 4 * * * root /usr/sbin/aide --check" >> /etc/crontab
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi
OVAL test results details

package aide is installed  oval:ssg-test_package_aide_installed:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_aide_installed:obj:1 of type rpminfo_object
Name
aide

run aide with cron  oval:ssg-test_aide_periodic_cron_checking:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_test_aide_periodic_cron_checking:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/crontab^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*(\*|([0-7]|mon|tue|wed|thu|fri|sat|sun)|[0-7]-[0-7]))|@(hourly|daily|weekly))[\s]*root[\s]*\/usr\/sbin\/aide[\s]*\-\-check.*$1

run aide with cron  oval:ssg-test_aide_crond_checking:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_test_aide_crond_checking:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/cron.d^.*$^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*(\*|([0-7]|mon|tue|wed|thu|fri|sat|sun)|[0-7]-[0-7]))|@(hourly|daily|weekly))[\s]*root[\s]*\/usr\/sbin\/aide[\s]*\-\-check.*$1

run aide with cron  oval:ssg-test_aide_var_cron_checking:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_aide_var_cron_checking:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/var/spool/cron/root^(([0-9]*[\s]*[0-9]*[\s]*\*[\s]*\*[\s]*(\*|([0-7]|mon|tue|wed|thu|fri|sat|sun)|[0-7]-[0-7]))|@(hourly|daily|weekly))[\s]*(root)?[\s]*\/usr\/sbin\/aide[\s]*\-\-check.*$1

run aide with cron.(daily|weekly)  oval:ssg-test_aide_crontabs_checking:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_aide_crontabs_checking:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
^/etc/cron.(daily|weekly)$^.*$^\s*\/usr\/sbin\/aide[\s]*\-\-check.*$1
Configure System Cryptography Policyxccdf_org.ssgproject.content_rule_configure_crypto_policy highCCE-80935-0

Configure System Cryptography Policy

Rule IDxccdf_org.ssgproject.content_rule_configure_crypto_policy
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-configure_crypto_policy:def:1
Time2022-11-07T15:05:07+00:00
Severityhigh
Identifiers and References

Identifiers:  CCE-80935-0

References:  164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), 1446, CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, SC-12(2), SC-12(3), FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4), FCS_CKM.1, FCS_CKM.2, FCS_TLSC_EXT.1, SRG-OS-000396-GPOS-00176, SRG-OS-000393-GPOS-00173, SRG-OS-000394-GPOS-00174, RHEL-08-010020, 1.10, 1.11, SV-230223r792855_rule

Description
To configure the system cryptography policy to use ciphers only from the DEFAULT policy, run the following command:
$ sudo update-crypto-policies --set DEFAULT
The rule checks if settings for selected crypto policy are configured as expected. Configuration files in the /etc/crypto-policies/back-ends are either symlinks to correct files provided by Crypto-policies package or they are regular files in case crypto policy customizations are applied. Crypto policies may be customized by crypto policy modules, in which case it is delimited from the base policy using a colon.
Rationale
Centralized cryptographic policies simplify applying secure ciphers across an operating system and the applications that run on that operating system. Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data.
Warnings
warning  The system needs to be rebooted for these changes to take effect.
warning  System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications. FIPS-140 is applicable to all Federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing and implementing cryptographic modules that Federal departments and agencies operate or are operated for them under contract. See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf To meet this, the system has to have cryptographic software provided by a vendor that has undergone this certification. This means providing documentation, test results, design information, and independent third party review by an accredited lab. While open source software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to this process.
OVAL test results details

check for crypto policy correctly configured in /etc/crypto-policies/config  oval:ssg-test_configure_crypto_policy:tst:1  true

Following items have been found on the system:
PathContent
/etc/crypto-policies/configDEFAULT

check for crypto policy correctly configured in /etc/crypto-policies/state/current  oval:ssg-test_configure_crypto_policy_current:tst:1  true

Following items have been found on the system:
PathContent
/etc/crypto-policies/state/currentDEFAULT

Check if update-crypto-policies has been run  oval:ssg-test_crypto_policies_updated:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-variable_crypto_policies_config_file_timestamp:var:11646043042

Check if /etc/crypto-policies/back-ends/nss.config exists  oval:ssg-test_crypto_policy_nss_config:tst:1  true

Following items have been found on the system:
PathTypeUIDGIDSize (B)Permissions
/etc/crypto-policies/back-ends/nss.configregular00429rw-r--r-- 
Configure SSH to use System Crypto Policyxccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy mediumCCE-80939-2

Configure SSH to use System Crypto Policy

Rule IDxccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-configure_ssh_crypto_policy:def:1
Time2022-11-07T15:05:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80939-2

References:  CCI-001453, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.312(e)(1), 164.312(e)(2)(ii), CIP-003-8 R4.2, CIP-007-3 R5.1, CIP-007-3 R7.1, AC-17(a), AC-17(2), CM-6(a), MA-4(6), SC-13, FCS_SSH_EXT.1, FCS_SSHS_EXT.1, FCS_SSHC_EXT.1, SRG-OS-000250-GPOS-00093, RHEL-08-010287, 5.2.14, SV-244526r809334_rule

Description
Crypto Policies provide a centralized control over crypto algorithms usage of many packages. SSH is supported by crypto policy, but the SSH configuration may be set up to ignore it. To check that Crypto Policies settings are configured correctly, ensure that the CRYPTO_POLICY variable is either commented or not set at all in the /etc/sysconfig/sshd.
Rationale
Overriding the system crypto policy makes the behavior of the SSH service violate expectations, and makes system configuration more fragmented.
OVAL test results details

Check that the SSH configuration mandates usage of system-wide crypto policies.  oval:ssg-test_configure_ssh_crypto_policy:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_configure_ssh_crypto_policy:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/sysconfig/sshd^\s*(?i)CRYPTO_POLICY\s*=.*$1
Ensure /home Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_home lowCCE-81044-0

Ensure /home Located On Separate Partition

Rule IDxccdf_org.ssgproject.content_rule_partition_for_home
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-partition_for_home:def:1
Time2022-11-07T15:05:07+00:00
Severitylow
Identifiers and References

Identifiers:  CCE-81044-0

References:  BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, CCI-001208, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-010800, 1.1.7.1, SV-230328r627750_rule

Description
If user home directories will be stored locally, create a separate partition for /home at installation time (or migrate it later using LVM). If /home will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at installation time, and the mountpoint can instead be configured later.
Rationale
Ensuring that /home is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage.
OVAL test results details

/home on own partition  oval:ssg-testhome_partition:tst:1  true

Following items have been found on the system:
Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/home/dev/mapper/rootvg-homelv841c3ec8-e576-405d-80ff-4ae2bf8883adxfsrwseclabelnosuidnodevrelatimeattr2inode64logbufs=8logbsize=32knoquotabind25958446642212942
Ensure /tmp Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_tmp lowCCE-80851-9

Ensure /tmp Located On Separate Partition

Rule IDxccdf_org.ssgproject.content_rule_partition_for_tmp
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-partition_for_tmp:def:1
Time2022-11-07T15:05:07+00:00
Severitylow
Identifiers and References

Identifiers:  CCE-80851-9

References:  BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-010543, 1.1.2.1, SV-230295r627750_rule

Description
The /tmp directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM.
Rationale
The /tmp partition is used as temporary storage by many programs. Placing /tmp in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it.
OVAL test results details

/tmp on own partition  oval:ssg-testtmp_partition:tst:1  true

Following items have been found on the system:
Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/tmp/dev/mapper/rootvg-tmplv10a53d6f-3d9b-403a-a691-083632225621xfsrwseclabelnosuidnodevnoexecrelatimeattr2inode64logbufs=8logbsize=32knoquotabind52172824697497031
Ensure /var Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_var lowCCE-80852-7

Ensure /var Located On Separate Partition

Rule IDxccdf_org.ssgproject.content_rule_partition_for_var
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-partition_for_var:def:1
Time2022-11-07T15:05:07+00:00
Severitylow
Identifiers and References

Identifiers:  CCE-80852-7

References:  BP28(R12), 12, 15, 8, APO13.01, DSS05.02, CCI-000366, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.13.1.1, A.13.2.1, A.14.1.3, CM-6(a), SC-5(2), PR.PT-4, SRG-OS-000480-GPOS-00227, SRG-OS-000341-VMM-001220, RHEL-08-010540, 1.1.3.1, SV-230292r627750_rule

Description
The /var directory is used by daemons and other system services to store frequently-changing data. Ensure that /var has its own partition or logical volume at installation time, or migrate it using LVM.
Rationale
Ensuring that /var is mounted on its own partition enables the setting of more restrictive mount options. This helps protect system services such as daemons or other programs which use it. It is not uncommon for the /var directory to contain world-writable directories installed by other software packages.
OVAL test results details

/var on own partition  oval:ssg-testvar_partition:tst:1  true

Following items have been found on the system:
Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/var/dev/mapper/rootvg-varlv2e953a84-ce4d-4d23-9527-029c4011938cxfsrwseclabelnosuidnodevnoexecrelatimeattr2inode64logbufs=8logbsize=32knoquotabind20945921452731949319
Ensure /var/log Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_var_log lowCCE-80853-5

Ensure /var/log Located On Separate Partition

Rule IDxccdf_org.ssgproject.content_rule_partition_for_var_log
Result
fail
Multi-check ruleno
OVAL Definition IDoval:ssg-partition_for_var_log:def:1
Time2022-11-07T15:05:07+00:00
Severitylow
Identifiers and References

Identifiers:  CCE-80853-5

References:  BP28(R12), BP28(R47), 1, 12, 14, 15, 16, 3, 5, 6, 8, APO11.04, APO13.01, BAI03.05, DSS05.02, DSS05.04, DSS05.07, MEA02.01, CCI-000366, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, CIP-007-3 R6.5, CM-6(a), AU-4, SC-5(2), PR.PT-1, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-010541, 1.1.5.1, SV-230293r627750_rule

Description
System logs are stored in the /var/log directory. Ensure that /var/log has its own partition or logical volume at installation time, or migrate it using LVM.
Rationale
Placing /var/log in its own partition enables better separation between log files and other files in /var/.

Complexity:low
Disruption:high
Reboot:false
Strategy:enable

part /var/log


[[customizations.filesystem]]
mountpoint = "/var/log"
size = 5368709120
OVAL test results details

/var/log on own partition  oval:ssg-testvar_log_partition:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_mountvar_log_own_partition:obj:1 of type partition_object
Mount point
/var/log
Ensure /var/log/audit Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_var_log_audit lowCCE-80854-3

Ensure /var/log/audit Located On Separate Partition

Rule IDxccdf_org.ssgproject.content_rule_partition_for_var_log_audit
Result
fail
Multi-check ruleno
OVAL Definition IDoval:ssg-partition_for_var_log_audit:def:1
Time2022-11-07T15:05:07+00:00
Severitylow
Identifiers and References

Identifiers:  CCE-80854-3

References:  BP28(R43), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 8, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS05.02, DSS05.04, DSS05.07, MEA02.01, CCI-000366, CCI-001849, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.2, SR 7.6, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.17.2.1, CIP-007-3 R6.5, CM-6(a), AU-4, SC-5(2), PR.DS-4, PR.PT-1, PR.PT-4, FMT_SMF_EXT.1, SRG-OS-000341-GPOS-00132, SRG-OS-000480-GPOS-00227, SRG-OS-000341-VMM-001220, RHEL-08-010542, 1.1.6.1, SV-230294r627750_rule

Description
Audit logs are stored in the /var/log/audit directory. Ensure that /var/log/audit has its own partition or logical volume at installation time, or migrate it using LVM. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon.
Rationale
Placing /var/log/audit in its own partition enables better separation between audit files and other files, and helps ensure that auditing cannot be halted due to the partition running out of space.

Complexity:low
Disruption:high
Reboot:false
Strategy:enable

part /var/log/audit


[[customizations.filesystem]]
mountpoint = "/var/log/audit"
size = 10737418240
OVAL test results details

/var/log/audit on own partition  oval:ssg-testvar_log_audit_partition:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_mountvar_log_audit_own_partition:obj:1 of type partition_object
Mount point
/var/log/audit
Ensure /var/tmp Located On Separate Partitionxccdf_org.ssgproject.content_rule_partition_for_var_tmp mediumCCE-82730-3

Ensure /var/tmp Located On Separate Partition

Rule IDxccdf_org.ssgproject.content_rule_partition_for_var_tmp
Result
fail
Multi-check ruleno
OVAL Definition IDoval:ssg-partition_for_var_tmp:def:1
Time2022-11-07T15:05:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82730-3

References:  BP28(R12), SRG-OS-000480-GPOS-00227, RHEL-08-010544, 1.1.4.1, SV-244529r743836_rule

Description
The /var/tmp directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM.
Rationale
The /var/tmp partition is used as temporary storage by many programs. Placing /var/tmp in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it.

Complexity:low
Disruption:high
Reboot:false
Strategy:enable

part /var/tmp


[[customizations.filesystem]]
mountpoint = "/var/tmp"
size = 1073741824
OVAL test results details

/var/tmp on own partition  oval:ssg-testvar_tmp_partition:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_mountvar_tmp_own_partition:obj:1 of type partition_object
Mount point
/var/tmp
Make sure that the dconf databases are up-to-date with regards to respective keyfilesxccdf_org.ssgproject.content_rule_dconf_db_up_to_date highCCE-81003-6

Make sure that the dconf databases are up-to-date with regards to respective keyfiles

Rule IDxccdf_org.ssgproject.content_rule_dconf_db_up_to_date
Result
notapplicable
Multi-check ruleno
Time2022-11-07T15:05:07+00:00
Severityhigh
Identifiers and References

Identifiers:  CCE-81003-6

References:  164.308(a)(1)(ii)(B), 164.308(a)(5)(ii)(A), SRG-OS-000480-GPOS-00227, 1.8.2

Description
By default, DConf uses a binary database as a data backend. The system-level database is compiled from keyfiles in the /etc/dconf/db/ directory by the
dconf update
command. More specifically, content present in the following directories:
/etc/dconf/db/gdm.d
/etc/dconf/db/local.d
Rationale
Unlike text-based keyfiles, the binary database is impossible to check by OVAL. Therefore, in order to evaluate dconf configuration, both have to be true at the same time - configuration files have to be compliant, and the database needs to be more recent than those keyfiles, which gives confidence that it reflects them.
Install sudo Packagexccdf_org.ssgproject.content_rule_package_sudo_installed mediumCCE-82214-8

Install sudo Package

Rule IDxccdf_org.ssgproject.content_rule_package_sudo_installed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_sudo_installed:def:1
Time2022-11-07T15:05:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82214-8

References:  BP28(R19), 1382, 1384, 1386, CM-6(a), FMT_MOF_EXT.1, SRG-OS-000324-GPOS-00125, 5.3.1

Description
The sudo package can be installed with the following command:
$ sudo yum install sudo
Rationale
sudo is a program designed to allow a system administrator to give limited root privileges to users and log root activity. The basic philosophy is to give as few privileges as possible but still allow system users to get their work done.
OVAL test results details

package sudo is installed  oval:ssg-test_package_sudo_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
sudox86_64(none)7.el8_4.11.8.290:1.8.29-7.el8_4.1199e2f91fd431d51sudo-0:1.8.29-7.el8_4.1.x86_64
Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_ptyxccdf_org.ssgproject.content_rule_sudo_add_use_pty mediumCCE-83798-9

Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty

Rule IDxccdf_org.ssgproject.content_rule_sudo_add_use_pty
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sudo_add_use_pty:def:1
Time2022-11-07T15:05:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83798-9

References:  BP28(R58), 5.3.2

Description
The sudo use_pty tag, when specified, will only execute sudo commands from users logged in to a real tty. This should be enabled by making sure that the use_pty tag exists in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/.
Rationale
Requiring that sudo commands be run in a pseudo-terminal can prevent an attacker from retaining access to the user's terminal after the main program has finished executing.
OVAL test results details

use_pty exists in /etc/sudoers or /etc/sudoers.d/  oval:ssg-test_use_pty_sudoers:tst:1  true

Following items have been found on the system:
PathContent
/etc/sudoersDefaults use_pty
Ensure Sudo Logfile Exists - sudo logfilexccdf_org.ssgproject.content_rule_sudo_custom_logfile lowCCE-83601-5

Ensure Sudo Logfile Exists - sudo logfile

Rule IDxccdf_org.ssgproject.content_rule_sudo_custom_logfile
Result
fail
Multi-check ruleno
OVAL Definition IDoval:ssg-sudo_custom_logfile:def:1
Time2022-11-07T15:05:07+00:00
Severitylow
Identifiers and References

Identifiers:  CCE-83601-5

References:  5.3.3

Description
A custom log sudo file can be configured with the 'logfile' tag. This rule configures a sudo custom logfile at the default location suggested by CIS, which uses /var/log/sudo.log.
Rationale
A sudo log file simplifies auditing of sudo commands.

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: XCCDF Value var_sudo_logfile # promote to variable
  set_fact:
    var_sudo_logfile: !!str /var/log/sudo.log
  tags:
    - always

- name: Ensure logfile is enabled with the appropriate value in /etc/sudoers
  lineinfile:
    path: /etc/sudoers
    regexp: ^[\s]*Defaults\s(.*)\blogfile=[-]?.+\b(.*)$
    line: Defaults \1logfile={{ var_sudo_logfile }}\2
    validate: /usr/sbin/visudo -cf %s
    backrefs: true
  register: edit_sudoers_logfile_option
  tags:
  - CCE-83601-5
  - low_complexity
  - low_disruption
  - low_severity
  - no_reboot_needed
  - restrict_strategy
  - sudo_custom_logfile

- name: Enable logfile option with appropriate value in /etc/sudoers
  lineinfile:
    path: /etc/sudoers
    line: Defaults logfile={{ var_sudo_logfile }}
    validate: /usr/sbin/visudo -cf %s
  when: edit_sudoers_logfile_option is defined and not edit_sudoers_logfile_option.changed
  tags:
  - CCE-83601-5
  - low_complexity
  - low_disruption
  - low_severity
  - no_reboot_needed
  - restrict_strategy
  - sudo_custom_logfile

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict


var_sudo_logfile='/var/log/sudo.log'


if /usr/sbin/visudo -qcf /etc/sudoers; then
    cp /etc/sudoers /etc/sudoers.bak
    if ! grep -P '^[\s]*Defaults[\s]*\blogfile=("(?:\\"|\\\\|[^"\\\n])*"\B|[^"](?:(?:\\,|\\"|\\ |\\\\|[^", \\\n])*)\b)\b.*$' /etc/sudoers; then
        # sudoers file doesn't define Option logfile
        echo "Defaults logfile=${var_sudo_logfile}" >> /etc/sudoers
    else
        # sudoers file defines Option logfile, remediate if appropriate value is not set
        if ! grep -P "^[\s]*Defaults.*\blogfile=${var_sudo_logfile}\b.*$" /etc/sudoers; then
            
            escaped_variable=${var_sudo_logfile//$'/'/$'\/'}
            sed -Ei "s/(^[\s]*Defaults.*\blogfile=)[-]?.+(\b.*$)/\1$escaped_variable\2/" /etc/sudoers
        fi
    fi
    
    # Check validity of sudoers and cleanup bak
    if /usr/sbin/visudo -qcf /etc/sudoers; then
        rm -f /etc/sudoers.bak
    else
        echo "Fail to validate remediated /etc/sudoers, reverting to original file."
        mv /etc/sudoers.bak /etc/sudoers
        false
    fi
else
    echo "Skipping remediation, /etc/sudoers failed to validate"
    false
fi
OVAL test results details

logfile exists in /etc/sudoers or /etc/sudoers.d/  oval:ssg-test_logfile_sudoers:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_logfile_sudoers:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^/etc/sudoers(|\.d/.*)$^[\s]*Defaults[\s]*\blogfile=("(?:\\"|\\\\|[^"\\\n])*"\B|[^"](?:(?:\\,|\\"|\\ |\\\\|[^", \\\n])*)\b).*$1
Ensure Users Re-Authenticate for Privilege Escalation - sudoxccdf_org.ssgproject.content_rule_sudo_require_authentication mediumCCE-82279-1

Ensure Users Re-Authenticate for Privilege Escalation - sudo

Rule IDxccdf_org.ssgproject.content_rule_sudo_require_authentication
Result
fail
Multi-check ruleno
OVAL Definition IDoval:ssg-sudo_require_authentication:def:1
Time2022-11-07T15:05:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82279-1

References:  1, 12, 15, 16, 5, DSS05.04, DSS05.10, DSS06.03, DSS06.10, CCI-002038, 4.3.3.5.1, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-11, CM-6(a), PR.AC-1, PR.AC-7, SRG-OS-000373-GPOS-00156, 5.3.4

Description
The sudo NOPASSWD and !authenticate option, when specified, allows a user to execute commands using sudo without having to authenticate. This should be disabled by making sure that NOPASSWD and/or !authenticate do not exist in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/."
Rationale
Without re-authentication, users may access resources or perform tasks for which they do not have authorization.

When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate.

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict
- name: Find /etc/sudoers.d/ files
  find:
    paths:
    - /etc/sudoers.d/
  register: sudoers
  tags:
  - CCE-82279-1
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-11
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sudo_require_authentication

- name: Remove lines containing NOPASSWD from sudoers files
  replace:
    regexp: (^(?!#).*[\s]+NOPASSWD[\s]*\:.*$)
    replace: '# \g<1>'
    path: '{{ item.path }}'
    validate: /usr/sbin/visudo -cf %s
  with_items:
  - path: /etc/sudoers
  - '{{ sudoers.files }}'
  tags:
  - CCE-82279-1
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-11
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sudo_require_authentication

- name: Find /etc/sudoers.d/ files
  find:
    paths:
    - /etc/sudoers.d/
  register: sudoers
  tags:
  - CCE-82279-1
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-11
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sudo_require_authentication

- name: Remove lines containing !authenticate from sudoers files
  replace:
    regexp: (^(?!#).*[\s]+\!authenticate.*$)
    replace: '# \g<1>'
    path: '{{ item.path }}'
    validate: /usr/sbin/visudo -cf %s
  with_items:
  - path: /etc/sudoers
  - '{{ sudoers.files }}'
  tags:
  - CCE-82279-1
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-11
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sudo_require_authentication

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict

for f in /etc/sudoers /etc/sudoers.d/* ; do
  if [ ! -e "$f" ] ; then
    continue
  fi
  matching_list=$(grep -P '^(?!#).*[\s]+NOPASSWD[\s]*\:.*$' $f | uniq )
  if ! test -z "$matching_list"; then
    while IFS= read -r entry; do
      # comment out "NOPASSWD" matches to preserve user data
      sed -i "s/^${entry}$/# &/g" $f
    done <<< "$matching_list"

    /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
  fi
done

for f in /etc/sudoers /etc/sudoers.d/* ; do
  if [ ! -e "$f" ] ; then
    continue
  fi
  matching_list=$(grep -P '^(?!#).*[\s]+\!authenticate.*$' $f | uniq )
  if ! test -z "$matching_list"; then
    while IFS= read -r entry; do
      # comment out "!authenticate" matches to preserve user data
      sed -i "s/^${entry}$/# &/g" $f
    done <<< "$matching_list"

    /usr/sbin/visudo -cf $f &> /dev/null || echo "Fail to validate $f with visudo"
  fi
done
OVAL test results details

!authenticate does not exist in /etc/sudoers  oval:ssg-test_no_authenticate_etc_sudoers:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_no_authenticate_etc_sudoers:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/sudoers^(?!#).*[\s]+\!authenticate.*$1

!authenticate does not exist in /etc/sudoers.d  oval:ssg-test_no_authenticate_etc_sudoers_d:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_no_authenticate_etc_sudoers_d:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/sudoers.d^.*$^(?!#).*[\s]+\!authenticate.*$1

NOPASSWD does not exist /etc/sudoers  oval:ssg-test_nopasswd_etc_sudoers:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_nopasswd_etc_sudoers:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/sudoers^(?!#).*[\s]+NOPASSWD[\s]*\:.*$1

NOPASSWD does not exist in /etc/sudoers.d  oval:ssg-test_nopasswd_etc_sudoers_d:tst:1  false

Following items have been found on the system:
PathContent
/etc/sudoers.d/90-cloud-init-usersazureuser ALL=(ALL) NOPASSWD:ALL
The operating system must require Re-Authentication when using the sudo command. Ensure sudo timestamp_timeout is appropriate - sudo timestamp_timeoutxccdf_org.ssgproject.content_rule_sudo_require_reauthentication mediumCCE-87838-9

The operating system must require Re-Authentication when using the sudo command. Ensure sudo timestamp_timeout is appropriate - sudo timestamp_timeout

Rule IDxccdf_org.ssgproject.content_rule_sudo_require_reauthentication
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sudo_require_reauthentication:def:1
Time2022-11-07T15:05:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-87838-9

References:  CCI-002038, IA-11, SRG-OS-000373-GPOS-00156, SRG-OS-000373-GPOS-00157, SRG-OS-000373-GPOS-00158, RHEL-08-010384, 5.3.5, SV-237643r838720_rule

Description
The sudo timestamp_timeout tag sets the amount of time sudo password prompt waits. The default timestamp_timeout value is 5 minutes. The timestamp_timeout should be configured by making sure that the timestamp_timeout tag exists in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/. If the value is set to an integer less than 0, the user's time stamp will not expire and the user will not have to re-authenticate for privileged actions until the user's session is terminated.
Rationale
Without re-authentication, users may access resources or perform tasks for which they do not have authorization.

When operating systems provide the capability to escalate a functional capability, it is critical that the user re-authenticate.
OVAL test results details

check correct configuration in /etc/sudoers  oval:ssg-test_sudo_timestamp_timeout:tst:1  true

Following items have been found on the system:
PathContent
/etc/sudoersDefaults timestamp_timeout=5
Ensure gpgcheck Enabled In Main yum Configurationxccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated highCCE-80790-9

Ensure gpgcheck Enabled In Main yum Configuration

Rule IDxccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-ensure_gpgcheck_globally_activated:def:1
Time2022-11-07T15:05:07+00:00
Severityhigh
Identifiers and References

Identifiers:  CCE-80790-9

References:  BP28(R15), 11, 2, 3, 9, 5.10.4.1, APO01.06, BAI03.05, BAI06.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS06.02, 3.4.8, CCI-001749, 164.308(a)(1)(ii)(D), 164.312(b), 164.312(c)(1), 164.312(c)(2), 164.312(e)(2)(i), 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.4, SR 3.1, SR 3.3, SR 3.4, SR 3.8, SR 7.6, A.11.2.4, A.12.1.2, A.12.2.1, A.12.5.1, A.12.6.2, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, CM-5(3), SI-7, SC-12, SC-12(3), CM-6(a), SA-12, SA-12(10), CM-11(a), CM-11(b), PR.DS-6, PR.DS-8, PR.IP-1, FPT_TUD_EXT.1, FPT_TUD_EXT.2, Req-6.2, SRG-OS-000366-GPOS-00153, SRG-OS-000366-VMM-001430, SRG-OS-000370-VMM-001460, SRG-OS-000404-VMM-001650, RHEL-08-010370, 1.2.3, SV-230264r627750_rule

Description
The gpgcheck option controls whether RPM packages' signatures are always checked prior to installation. To configure yum to check package signatures before installing them, ensure the following line appears in /etc/yum.conf in the [main] section:
gpgcheck=1
Rationale
Changes to any software components can have significant effects on the overall security of the operating system. This requirement ensures the software has not been tampered with and that it has been provided by a trusted vendor.
Accordingly, patches, service packs, device drivers, or operating system components must be signed with a certificate recognized and approved by the organization.
Verifying the authenticity of the software prior to installation validates the integrity of the patch or upgrade received from a vendor. This ensures the software has not been tampered with and that it has been provided by a trusted vendor. Self-signed certificates are disallowed by this requirement. Certificates used to verify the software must be from an approved Certificate Authority (CA).
OVAL test results details

check value of gpgcheck in /etc/yum.conf  oval:ssg-test_ensure_gpgcheck_globally_activated:tst:1  true

Following items have been found on the system:
PathContent
/etc/yum.confgpgcheck=1
Enable GNOME3 Login Warning Bannerxccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled mediumCCE-80768-5

Enable GNOME3 Login Warning Banner

Rule IDxccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled
Result
notapplicable
Multi-check ruleno
Time2022-11-07T15:05:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80768-5

References:  1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.9, CCI-000048, CCI-000050, CCI-001384, CCI-001385, CCI-001386, CCI-001387, CCI-001388, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-8(a), AC-8(b), AC-8(c), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088, RHEL-08-010049, 1.8.2, SV-244519r743806_rule

Description
In the default graphical environment, displaying a login warning banner in the GNOME Display Manager's login screen can be enabled on the login screen by setting banner-message-enable to true.

To enable, add or edit banner-message-enable to /etc/dconf/db/gdm.d/00-security-settings. For example:
[org/gnome/login-screen]
banner-message-enable=true
Once the setting has been added, add a lock to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification. For example:
/org/gnome/login-screen/banner-message-enable
After the settings have been set, run dconf update. The banner text must also be set.
Rationale
Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

For U.S. Government systems, system use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.
Modify the System Login Bannerxccdf_org.ssgproject.content_rule_banner_etc_issue mediumCCE-80763-6

Modify the System Login Banner

Rule IDxccdf_org.ssgproject.content_rule_banner_etc_issue
Result
fail
Multi-check ruleno
OVAL Definition IDoval:ssg-banner_etc_issue:def:1
Time2022-11-07T15:05:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80763-6

References:  1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.9, CCI-000048, CCI-000050, CCI-001384, CCI-001385, CCI-001386, CCI-001387, CCI-001388, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, AC-8(a), AC-8(c), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000023-GPOS-00006, SRG-OS-000228-GPOS-00088, SRG-OS-000023-VMM-000060, SRG-OS-000024-VMM-000070, RHEL-08-010060, 1.7.2, SV-230227r627750_rule

Description
To configure the system login banner edit /etc/issue. Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is either:

You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.


OR:

I've read & consent to terms in IS user agreem't.
Rationale
Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.

Complexity:low
Disruption:medium
Reboot:false
Strategy:unknown
- name: XCCDF Value login_banner_text # promote to variable
  set_fact:
    login_banner_text: !!str ^(Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.|^(?!.*(\\|fedora|rhel|sle|ubuntu)).*)$
  tags:
    - always

- name: Modify the System Login Banner - ensure correct banner
  copy:
    dest: /etc/issue
    content: '{{ login_banner_text | regex_replace("^\^(.*)\$$", "\1") | regex_replace("^\((.*\.)\|.*\)$",
      "\1") | regex_replace("\[\\s\\n\]\+"," ") | regex_replace("\(\?:\[\\n\]\+\|\(\?:\\\\n\)\+\)",
      "\n") | regex_replace("\\", "") | wordwrap() }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-80763-6
  - DISA-STIG-RHEL-08-010060
  - NIST-800-171-3.1.9
  - NIST-800-53-AC-8(a)
  - NIST-800-53-AC-8(c)
  - banner_etc_issue
  - low_complexity
  - medium_disruption
  - medium_severity
  - no_reboot_needed
  - unknown_strategy

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

login_banner_text='^(Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.|^(?!.*(\\|fedora|rhel|sle|ubuntu)).*)$'


# Multiple regexes transform the banner regex into a usable banner
# 0 - Remove anchors around the banner text
login_banner_text=$(echo "$login_banner_text" | sed 's/^\^\(.*\)\$$/\1/g')
# 1 - Keep only the first banners if there are multiple
#    (dod_banners contains the long and short banner)
login_banner_text=$(echo "$login_banner_text" | sed 's/^(\(.*\.\)|.*)$/\1/g')
# 2 - Add spaces ' '. (Transforms regex for "space or newline" into a " ")
login_banner_text=$(echo "$login_banner_text" | sed 's/\[\\s\\n\]+/ /g')
# 3 - Adds newlines. (Transforms "(?:\[\\n\]+|(?:\\n)+)" into "\n")
login_banner_text=$(echo "$login_banner_text" | sed 's/(?:\[\\n\]+|(?:\\\\n)+)/\n/g')
# 4 - Remove any leftover backslash. (From any parethesis in the banner, for example).
login_banner_text=$(echo "$login_banner_text" | sed 's/\\//g')
formatted=$(echo "$login_banner_text" | fold -sw 80)

cat <<EOF >/etc/issue
$formatted
EOF

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi
OVAL test results details

correct banner in /etc/issue  oval:ssg-test_banner_etc_issue:tst:1  false

Following items have been found on the system:
PathContent
/etc/issue\S Kernel \r on an \m
/etc/issue.d/cockpit.issueActivate the web console with: systemctl enable --now cockpit.socket
Modify the System Message of the Day Bannerxccdf_org.ssgproject.content_rule_banner_etc_motd mediumCCE-83496-0

Modify the System Message of the Day Banner

Rule IDxccdf_org.ssgproject.content_rule_banner_etc_motd
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-banner_etc_motd:def:1
Time2022-11-07T15:05:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83496-0

References:  1.7.1

Description
To configure the system message banner edit /etc/motd. Replace the default text with a message compliant with the local site policy or a legal disclaimer. The DoD required text is either:

You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests -- not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.


OR:

I've read & consent to terms in IS user agreem't.
Rationale
Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.

System use notifications are required only for access via login interfaces with human users and are not required when such human interfaces do not exist.
OVAL test results details

correct banner in /etc/motd  oval:ssg-test_banner_etc_motd:tst:1  true

Following items have been found on the system:
PathContent
/etc/motd
Verify Group Ownership of System Login Bannerxccdf_org.ssgproject.content_rule_file_groupowner_etc_issue mediumCCE-83708-8

Verify Group Ownership of System Login Banner

Rule IDxccdf_org.ssgproject.content_rule_file_groupowner_etc_issue
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_groupowner_etc_issue:def:1
Time2022-11-07T15:05:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83708-8

References:  1.7.5

Description
To properly set the group owner of /etc/issue, run the command:
$ sudo chgrp root /etc/issue
Rationale
Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
Proper group ownership will ensure that only root user can modify the banner.
OVAL test results details

Testing group ownership of /etc/issue  oval:ssg-test_file_groupowner_etc_issue_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_etc_issue_0:obj:1 of type file_object
FilepathFilterFilter
/etc/issueoval:ssg-symlink_file_groupowner_etc_issue_uid_0:ste:1oval:ssg-state_file_groupowner_etc_issue_gid_0_0:ste:1
Verify Group Ownership of Message of the Day Bannerxccdf_org.ssgproject.content_rule_file_groupowner_etc_motd mediumCCE-83728-6

Verify Group Ownership of Message of the Day Banner

Rule IDxccdf_org.ssgproject.content_rule_file_groupowner_etc_motd
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_groupowner_etc_motd:def:1
Time2022-11-07T15:05:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83728-6

References:  1.7.4

Description
To properly set the group owner of /etc/motd, run the command:
$ sudo chgrp root /etc/motd
Rationale
Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
Proper group ownership will ensure that only root user can modify the banner.
OVAL test results details

Testing group ownership of /etc/motd  oval:ssg-test_file_groupowner_etc_motd_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_etc_motd_0:obj:1 of type file_object
FilepathFilterFilter
/etc/motdoval:ssg-symlink_file_groupowner_etc_motd_uid_0:ste:1oval:ssg-state_file_groupowner_etc_motd_gid_0_0:ste:1
Verify ownership of System Login Bannerxccdf_org.ssgproject.content_rule_file_owner_etc_issue mediumCCE-83718-7

Verify ownership of System Login Banner

Rule IDxccdf_org.ssgproject.content_rule_file_owner_etc_issue
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_owner_etc_issue:def:1
Time2022-11-07T15:05:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83718-7

References:  1.7.5

Description
To properly set the owner of /etc/issue, run the command:
$ sudo chown root /etc/issue 
Rationale
Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
Proper ownership will ensure that only root user can modify the banner.
OVAL test results details

Testing user ownership of /etc/issue  oval:ssg-test_file_owner_etc_issue_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_etc_issue_0:obj:1 of type file_object
FilepathFilterFilter
/etc/issueoval:ssg-symlink_file_owner_etc_issue_uid_0:ste:1oval:ssg-state_file_owner_etc_issue_uid_0_0:ste:1
Verify ownership of Message of the Day Bannerxccdf_org.ssgproject.content_rule_file_owner_etc_motd mediumCCE-83738-5

Verify ownership of Message of the Day Banner

Rule IDxccdf_org.ssgproject.content_rule_file_owner_etc_motd
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_owner_etc_motd:def:1
Time2022-11-07T15:05:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83738-5

References:  1.7.4

Description
To properly set the owner of /etc/motd, run the command:
$ sudo chown root /etc/motd 
Rationale
Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
Proper ownership will ensure that only root user can modify the banner.
OVAL test results details

Testing user ownership of /etc/motd  oval:ssg-test_file_owner_etc_motd_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_etc_motd_0:obj:1 of type file_object
FilepathFilterFilter
/etc/motdoval:ssg-symlink_file_owner_etc_motd_uid_0:ste:1oval:ssg-state_file_owner_etc_motd_uid_0_0:ste:1
Verify permissions on System Login Bannerxccdf_org.ssgproject.content_rule_file_permissions_etc_issue mediumCCE-83348-3

Verify permissions on System Login Banner

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_etc_issue
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_permissions_etc_issue:def:1
Time2022-11-07T15:05:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83348-3

References:  1.7.5

Description
To properly set the permissions of /etc/issue, run the command:
$ sudo chmod 0644 /etc/issue
Rationale
Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
Proper permissions will ensure that only root user can modify the banner.
OVAL test results details

Testing mode of /etc/issue  oval:ssg-test_file_permissions_etc_issue_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_etc_issue_0:obj:1 of type file_object
FilepathFilterFilter
/etc/issueoval:ssg-exclude_symlinks__etc_issue:ste:1oval:ssg-state_file_permissions_etc_issue_0_mode_0644or_stricter_:ste:1
Verify permissions on Message of the Day Bannerxccdf_org.ssgproject.content_rule_file_permissions_etc_motd mediumCCE-83338-4

Verify permissions on Message of the Day Banner

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_etc_motd
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_permissions_etc_motd:def:1
Time2022-11-07T15:05:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83338-4

References:  1.7.4

Description
To properly set the permissions of /etc/motd, run the command:
$ sudo chmod 0644 /etc/motd
Rationale
Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
Proper permissions will ensure that only root user can modify the banner.
OVAL test results details

Testing mode of /etc/motd  oval:ssg-test_file_permissions_etc_motd_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_etc_motd_0:obj:1 of type file_object
FilepathFilterFilter
/etc/motdoval:ssg-exclude_symlinks__etc_motd:ste:1oval:ssg-state_file_permissions_etc_motd_0_mode_0644or_stricter_:ste:1
Limit Password Reuse: password-authxccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth mediumCCE-83478-8

Limit Password Reuse: password-auth

Rule IDxccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_password_auth
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_password_pam_pwhistory_remember_password_auth:def:1
Time2022-11-07T15:05:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83478-8

References:  1, 12, 15, 16, 5, 5.6.2.1.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.8, CCI-000200, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(f), IA-5(1)(e), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.5, SRG-OS-000077-GPOS-00045, SRG-OS-000077-VMM-000440, RHEL-08-020220, 5.5.3, SV-230368r810414_rule

Description
Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_pwhistory PAM module.

In the file /etc/pam.d/password-auth, make sure the parameter remember is present and it has a value equal to or greater than 5. For example:
password control_flag pam_pwhistory.so ...existing_options... remember=5 use_authtok
control_flag should be one of the next values: required
Rationale
Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user.
Warnings
warning  If the system relies on authselect tool to manage PAM settings, the remediation will also use authselect tool. However, if any manual modification was made in PAM files, the authselect integrity check will fail and the remediation will be aborted in order to preserve intentional changes. In this case, an informative message will be shown in the remediation report.
OVAL test results details

check the configuration of /etc/pam.d/password-auth  oval:ssg-test_accounts_password_pam_pwhistory_remember_password_auth:tst:1  true

Following items have been found on the system:
PathContent
/etc/pam.d/password-authpassword required pam_pwhistory.so remember=5
Limit Password Reuse: system-authxccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_system_auth mediumCCE-83480-4

Limit Password Reuse: system-auth

Rule IDxccdf_org.ssgproject.content_rule_accounts_password_pam_pwhistory_remember_system_auth
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_password_pam_pwhistory_remember_system_auth:def:1
Time2022-11-07T15:05:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83480-4

References:  1, 12, 15, 16, 5, 5.6.2.1.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.5.8, CCI-000200, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(f), IA-5(1)(e), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.5, SRG-OS-000077-GPOS-00045, SRG-OS-000077-VMM-000440, RHEL-08-020221, 5.5.3, SV-251717r810415_rule

Description
Do not allow users to reuse recent passwords. This can be accomplished by using the remember option for the pam_pwhistory PAM module.

In the file /etc/pam.d/system-auth, make sure the parameter remember is present and it has a value equal to or greater than 5 For example:
password control_flag pam_pwhistory.so ...existing_options... remember=5 use_authtok
control_flag should be one of the next values: required
Rationale
Preventing re-use of previous passwords helps ensure that a compromised password is not re-used by a user.
Warnings
warning  If the system relies on authselect tool to manage PAM settings, the remediation will also use authselect tool. However, if any manual modification was made in PAM files, the authselect integrity check will fail and the remediation will be aborted in order to preserve intentional changes. In this case, an informative message will be shown in the remediation report.
OVAL test results details

check the configuration of /etc/pam.d/system-auth  oval:ssg-test_accounts_password_pam_pwhistory_remember_system_auth:tst:1  true

Following items have been found on the system:
PathContent
/etc/pam.d/system-authpassword required pam_pwhistory.so remember=5
Lock Accounts After Failed Password Attemptsxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny mediumCCE-80667-9

Lock Accounts After Failed Password Attempts

Rule IDxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_passwords_pam_faillock_deny:def:1
Time2022-11-07T15:05:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80667-9

References:  BP28(R18), 1, 12, 15, 16, 5.5.3, DSS05.04, DSS05.10, DSS06.10, 3.1.8, CCI-000044, CCI-002236, CCI-002237, CCI-002238, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(a), PR.AC-7, FIA_AFL.1, Req-8.1.6, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, SRG-OS-000021-VMM-000050, RHEL-08-020010, 5.4.2, 5.5.2, SV-230332r627750_rule

Description
This rule configures the system to lock out accounts after a number of incorrect login attempts using pam_faillock.so. pam_faillock.so module requires multiple entries in pam files. These entries must be carefully defined to work as expected. In order to avoid errors when manually editing these files, it is recommended to use the appropriate tools, such as authselect or authconfig, depending on the OS version.
Rationale
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, also known as brute-forcing, is reduced. Limits are imposed by locking the account.
Warnings
warning  If the system relies on authselect tool to manage PAM settings, the remediation will also use authselect tool. However, if any manual modification was made in PAM files, the authselect integrity check will fail and the remediation will be aborted in order to preserve intentional changes. In this case, an informative message will be shown in the remediation report. If the system supports the /etc/security/faillock.conf file, the pam_faillock parameters should be defined in faillock.conf file.
OVAL test results details

No more than one pam_unix.so is expected in auth section of system-auth  oval:ssg-test_accounts_passwords_pam_faillock_deny_system_pam_unix_auth:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_system_pam_unix_auth:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*auth\N+pam_unix\.so^/etc/pam.d/system-auth$1

No more than one pam_unix.so is expected in auth section of password-auth  oval:ssg-test_accounts_passwords_pam_faillock_deny_password_pam_unix_auth:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_password_pam_unix_auth:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*auth\N+pam_unix\.so^/etc/pam.d/password-auth$1

One and only one occurrence is expected in auth section of system-auth  oval:ssg-test_accounts_passwords_pam_faillock_deny_system_pam_faillock_auth:tst:1  true

Following items have been found on the system:
PathContent
/etc/pam.d/system-authauth required pam_faillock.so preauth silent auth sufficient pam_unix.so nullok try_first_pass auth required pam_faillock.so authfail

One and only one occurrence is expected in auth section of system-auth  oval:ssg-test_accounts_passwords_pam_faillock_deny_system_pam_faillock_account:tst:1  true

Following items have been found on the system:
PathContent
/etc/pam.d/system-auth account required pam_faillock.so account required pam_unix.so

One and only one occurrence is expected in auth section of password-auth  oval:ssg-test_accounts_passwords_pam_faillock_deny_password_pam_faillock_auth:tst:1  true

Following items have been found on the system:
PathContent
/etc/pam.d/password-authauth required pam_faillock.so preauth silent auth sufficient pam_unix.so nullok try_first_pass auth required pam_faillock.so authfail

One and only one occurrence is expected in auth section of password-auth  oval:ssg-test_accounts_passwords_pam_faillock_deny_password_pam_faillock_account:tst:1  true

Following items have been found on the system:
PathContent
/etc/pam.d/password-auth account required pam_faillock.so account required pam_unix.so

Check the expected deny value in system-auth  oval:ssg-test_accounts_passwords_pam_faillock_deny_parameter_pamd_system:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_parameter_pamd_system:obj:1 of type textfilecontent54_object
FilepathPatternInstance
3
^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*deny=([0-9]+)
^/etc/pam.d/system-auth$1

Check the expected deny value in password-auth  oval:ssg-test_accounts_passwords_pam_faillock_deny_parameter_pamd_password:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_parameter_pamd_password:obj:1 of type textfilecontent54_object
FilepathPatternInstance
3
^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*deny=([0-9]+)
^/etc/pam.d/password-auth$1

Check the absence of deny parameter in /etc/security/faillock.conf  oval:ssg-test_accounts_passwords_pam_faillock_deny_parameter_no_faillock_conf:tst:1  false

Following items have been found on the system:
PathContent
/etc/security/faillock.confdeny = 3

Check the absence of deny parameter in system-auth  oval:ssg-test_accounts_passwords_pam_faillock_deny_parameter_no_pamd_system:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_parameter_pamd_system:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*deny=([0-9]+)^/etc/pam.d/system-auth$1

Check the absence of deny parameter in password-auth  oval:ssg-test_accounts_passwords_pam_faillock_deny_parameter_no_pamd_password:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_deny_parameter_pamd_password:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*deny=([0-9]+)^/etc/pam.d/password-auth$1

Check the expected deny value in in /etc/security/faillock.conf  oval:ssg-test_accounts_passwords_pam_faillock_deny_parameter_faillock_conf:tst:1  true

Following items have been found on the system:
PathContent
/etc/security/faillock.confdeny = 3
Set Lockout Time for Failed Password Attemptsxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time mediumCCE-80670-3

Set Lockout Time for Failed Password Attempts

Rule IDxccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_passwords_pam_faillock_unlock_time:def:1
Time2022-11-07T15:05:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80670-3

References:  BP28(R18), 1, 12, 15, 16, 5.5.3, DSS05.04, DSS05.10, DSS06.10, 3.1.8, CCI-000044, CCI-002236, CCI-002237, CCI-002238, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(b), PR.AC-7, FIA_AFL.1, Req-8.1.7, SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005, SRG-OS-000329-VMM-001180, RHEL-08-020016, 5.4.2, SV-230338r627750_rule

Description
This rule configures the system to lock out accounts during a specified time period after a number of incorrect login attempts using pam_faillock.so. pam_faillock.so module requires multiple entries in pam files. These entries must be carefully defined to work as expected. In order to avoid any errors when manually editing these files, it is recommended to use the appropriate tools, such as authselect or authconfig, depending on the OS version. If unlock_time is set to 0, manual intervention by an administrator is required to unlock a user. This should be done using the faillock tool.
Rationale
By limiting the number of failed logon attempts the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.
Warnings
warning  If the system supports the new /etc/security/faillock.conf file but the pam_faillock.so parameters are defined directly in /etc/pam.d/system-auth and /etc/pam.d/password-auth, the remediation will migrate the unlock_time parameter to /etc/security/faillock.conf to ensure compatibility with authselect tool. The parameters deny and fail_interval, if used, also have to be migrated by their respective remediation.
warning  If the system relies on authselect tool to manage PAM settings, the remediation will also use authselect tool. However, if any manual modification was made in PAM files, the authselect integrity check will fail and the remediation will be aborted in order to preserve intentional changes. In this case, an informative message will be shown in the remediation report. If the system supports the /etc/security/faillock.conf file, the pam_faillock parameters should be defined in faillock.conf file.
OVAL test results details

No more than one pam_unix.so is expected in auth section of system-auth  oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_system_pam_unix_auth:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_system_pam_unix_auth:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*auth\N+pam_unix\.so^/etc/pam.d/system-auth$1

No more than one pam_unix.so is expected in auth section of password-auth  oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_password_pam_unix_auth:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_password_pam_unix_auth:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*auth\N+pam_unix\.so^/etc/pam.d/password-auth$1

One and only one occurrence is expected in auth section of system-auth  oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_system_pam_faillock_auth:tst:1  true

Following items have been found on the system:
PathContent
/etc/pam.d/system-authauth required pam_faillock.so preauth silent auth sufficient pam_unix.so nullok try_first_pass auth required pam_faillock.so authfail

One and only one occurrence is expected in auth section of system-auth  oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_system_pam_faillock_account:tst:1  true

Following items have been found on the system:
PathContent
/etc/pam.d/system-auth account required pam_faillock.so account required pam_unix.so

One and only one occurrence is expected in auth section of password-auth  oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_password_pam_faillock_auth:tst:1  true

Following items have been found on the system:
PathContent
/etc/pam.d/password-authauth required pam_faillock.so preauth silent auth sufficient pam_unix.so nullok try_first_pass auth required pam_faillock.so authfail

One and only one occurrence is expected in auth section of password-auth  oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_password_pam_faillock_account:tst:1  true

Following items have been found on the system:
PathContent
/etc/pam.d/password-auth account required pam_faillock.so account required pam_unix.so

Check the expected unlock_time value in system-auth  oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_system:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_system:obj:1 of type textfilecontent54_object
FilepathPatternInstance
900
^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*unlock_time=([0-9]+)
^/etc/pam.d/system-auth$1

Check the expected unlock_time value in password-auth  oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_password:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_password:obj:1 of type textfilecontent54_object
FilepathPatternInstance
900
^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*unlock_time=([0-9]+)
^/etc/pam.d/password-auth$1

Check the absence of unlock_time parameter in /etc/security/faillock.conf  oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_parameter_no_faillock_conf:tst:1  false

Following items have been found on the system:
PathContent
/etc/security/faillock.confunlock_time = 900

Check the absence of unlock_time parameter in system-auth  oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_parameter_no_pamd_system:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_system:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*unlock_time=([0-9]+)^/etc/pam.d/system-auth$1

Check the absence of unlock_time parameter in password-auth  oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_parameter_no_pamd_password:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_parameter_pamd_password:obj:1 of type textfilecontent54_object
FilepathPatternInstance
^[\s]*auth[\s]+.+[\s]+pam_faillock.so[\s]+[^\n]*unlock_time=([0-9]+)^/etc/pam.d/password-auth$1

Check the expected unlock_time value in in /etc/security/faillock.conf  oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_parameter_faillock_conf:tst:1  true

Following items have been found on the system:
PathContent
/etc/security/faillock.confunlock_time = 900
Ensure PAM Enforces Password Requirements - Minimum Different Categoriesxccdf_org.ssgproject.content_rule_accounts_password_pam_minclass mediumCCE-82046-4

Ensure PAM Enforces Password Requirements - Minimum Different Categories

Rule IDxccdf_org.ssgproject.content_rule_accounts_password_pam_minclass
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_password_pam_minclass:def:1
Time2022-11-07T15:05:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82046-4

References:  1, 12, 15, 16, 5, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000195, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, SRG-OS-000072-GPOS-00040, RHEL-08-020160, 5.5.1, SV-230362r833323_rule

Description
The pam_pwquality module's minclass parameter controls requirements for usage of different character classes, or types, of character that must exist in a password before it is considered valid. For example, setting this value to three (3) requires that any password must have characters from at least three different categories in order to be approved. The default value is zero (0), meaning there are no required classes. There are four categories available:
* Upper-case characters
* Lower-case characters
* Digits
* Special characters (for example, punctuation)
Modify the minclass setting in /etc/security/pwquality.conf entry to require 4 differing categories of characters when changing passwords.
Rationale
Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks.

Password complexity is one factor of several that determines how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.

Requiring a minimum number of character categories makes password guessing attacks more difficult by ensuring a larger search space.
OVAL test results details

check the configuration of /etc/pam.d/system-auth  oval:ssg-test_password_pam_pwquality:tst:1  true

Following items have been found on the system:
PathContent
/etc/pam.d/system-auth password requisite pam_pwquality.so try_first_pass

check the configuration of /etc/security/pwquality.conf  oval:ssg-test_password_pam_pwquality_minclass:tst:1  true

Following items have been found on the system:
PathContent
/etc/security/pwquality.confminclass = 4
Ensure PAM Enforces Password Requirements - Minimum Lengthxccdf_org.ssgproject.content_rule_accounts_password_pam_minlen mediumCCE-80656-2

Ensure PAM Enforces Password Requirements - Minimum Length

Rule IDxccdf_org.ssgproject.content_rule_accounts_password_pam_minlen
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_password_pam_minlen:def:1
Time2022-11-07T15:05:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80656-2

References:  BP28(R18), 1, 12, 15, 16, 5, 5.6.2.1.1, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000205, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(a), CM-6(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, FMT_SMF_EXT.1, Req-8.2.3, SRG-OS-000078-GPOS-00046, SRG-OS-000072-VMM-000390, SRG-OS-000078-VMM-000450, RHEL-08-020230, 5.5.1, SV-230369r833327_rule

Description
The pam_pwquality module's minlen parameter controls requirements for minimum characters required in a password. Add minlen=14 after pam_pwquality to set minimum password length requirements.
Rationale
The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.
Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. Use of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.
OVAL test results details

check the configuration of /etc/pam.d/system-auth  oval:ssg-test_password_pam_pwquality:tst:1  true

Following items have been found on the system:
PathContent
/etc/pam.d/system-auth password requisite pam_pwquality.so try_first_pass

check the configuration of /etc/security/pwquality.conf  oval:ssg-test_password_pam_pwquality_minlen:tst:1  true

Following items have been found on the system:
PathContent
/etc/security/pwquality.confminlen = 14
Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Sessionxccdf_org.ssgproject.content_rule_accounts_password_pam_retry mediumCCE-80664-6

Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session

Rule IDxccdf_org.ssgproject.content_rule_accounts_password_pam_retry
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_password_pam_retry:def:1
Time2022-11-07T15:05:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80664-6

References:  1, 11, 12, 15, 16, 3, 5, 9, 5.5.3, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000192, CCI-000366, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, CM-6(a), AC-7(a), IA-5(4), PR.AC-1, PR.AC-6, PR.AC-7, PR.IP-1, FMT_MOF_EXT.1, SRG-OS-000069-GPOS-00037, SRG-OS-000480-GPOS-00227, RHEL-08-020104, 5.4.1, SV-251716r833387_rule

Description
To configure the number of retry prompts that are permitted per-session: Edit the /etc/security/pwquality.conf to include retry=3, or a lower value if site policy is more restrictive. The DoD requirement is a maximum of 3 prompts per session.
Rationale
Setting the password retry prompts that are permitted on a per-session basis to a low value requires some software, such as SSH, to re-connect. This can slow down and draw additional attention to some types of password-guessing attacks. Note that this is different from account lockout, which is provided by the pam_faillock module.
OVAL test results details

check the configuration of /etc/pam.d/password-auth  oval:ssg-test_password_pam_pwquality_retry_password_auth:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_password_pam_pwquality_retry_password_auth:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/pam.d/password-auth^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_pwquality\.so.*retry=([0-9]*).*$1

check the configuration of /etc/pam.d/system-auth  oval:ssg-test_password_pam_pwquality_retry_system_auth:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_password_pam_pwquality_retry_system_auth:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/pam.d/system-auth^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_pwquality\.so.*retry=([0-9]*).*$1

check the configuration of /etc/pam.d/password-auth  oval:ssg-test_password_pam_pwquality_retry_password_auth_not_set:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_password_pam_pwquality_retry_password_auth:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/pam.d/password-auth^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_pwquality\.so.*retry=([0-9]*).*$1

check the configuration of /etc/pam.d/system-auth  oval:ssg-test_password_pam_pwquality_retry_system_auth_not_set:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_password_pam_pwquality_retry_system_auth:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/pam.d/system-auth^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_pwquality\.so.*retry=([0-9]*).*$1

check the configuration of /etc/security/pwquality.conf  oval:ssg-test_password_pam_pwquality_retry_pwquality_conf:tst:1  true

Following items have been found on the system:
PathContent
/etc/security/pwquality.confretry = 3
Set PAM''s Password Hashing Algorithm - password-authxccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_passwordauth mediumCCE-85945-4

Set PAM''s Password Hashing Algorithm - password-auth

Rule IDxccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_passwordauth
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-set_password_hashing_algorithm_passwordauth:def:1
Time2022-11-07T15:05:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85945-4

References:  BP28(R32), 1, 12, 15, 16, 5, 5.6.2.2, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.13.11, CCI-000196, CCI-000803, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0418, 1055, 1402, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(c), CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.1, SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061, SRG-OS-000480-VMM-002000, RHEL-08-010160, 5.4.4, SV-230237r809276_rule

Description
The PAM system service can be configured to only store encrypted representations of passwords. In /etc/pam.d/password-auth, the password section of the file controls which PAM modules execute during a password change. Set the pam_unix.so module in the password section to include the argument sha512, as shown below:
password    sufficient    pam_unix.so sha512 other arguments...

This will help ensure when local users change their passwords, hashes for the new passwords will be generated using the SHA-512 algorithm. This is the default.
Rationale
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kepy in plain text.

This setting ensures user and group account administration utilities are configured to store only encrypted representations of passwords. Additionally, the crypt_style configuration option ensures the use of a strong hashing algorithm that makes password cracking attacks more difficult.
OVAL test results details

check /etc/pam.d/password-auth for correct settings  oval:ssg-test_pam_unix_passwordauth_sha512:tst:1  true

Following items have been found on the system:
PathContent
/etc/pam.d/password-authpassword sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
Set PAM''s Password Hashing Algorithmxccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth mediumCCE-80893-1

Set PAM''s Password Hashing Algorithm

Rule IDxccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-set_password_hashing_algorithm_systemauth:def:1
Time2022-11-07T15:05:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80893-1

References:  BP28(R32), 1, 12, 15, 16, 5, 5.6.2.2, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.13.11, CCI-000196, CCI-000803, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, 0418, 1055, 1402, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, IA-5(c), IA-5(1)(c), CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.2.1, SRG-OS-000073-GPOS-00041, SRG-OS-000120-GPOS-00061, SRG-OS-000480-VMM-002000, RHEL-08-010159, 5.4.4, SV-244524r809331_rule

Description
The PAM system service can be configured to only store encrypted representations of passwords. In "/etc/pam.d/system-auth", the password section of the file controls which PAM modules execute during a password change. Set the pam_unix.so module in the password section to include the argument sha512, as shown below:
password    sufficient    pam_unix.so sha512 other arguments...

This will help ensure when local users change their passwords, hashes for the new passwords will be generated using the SHA-512 algorithm. This is the default.
Rationale
Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. Passwords that are encrypted with a weak algorithm are no more protected than if they are kepy in plain text.

This setting ensures user and group account administration utilities are configured to store only encrypted representations of passwords. Additionally, the crypt_style configuration option ensures the use of a strong hashing algorithm that makes password cracking attacks more difficult.
OVAL test results details

check /etc/pam.d/system-auth for correct settings  oval:ssg-test_pam_unix_sha512:tst:1  true

Following items have been found on the system:
PathContent
/etc/pam.d/system-authpassword sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
Require Authentication for Emergency Systemd Targetxccdf_org.ssgproject.content_rule_require_emergency_target_auth mediumCCE-82186-8

Require Authentication for Emergency Systemd Target

Rule IDxccdf_org.ssgproject.content_rule_require_emergency_target_auth
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-require_emergency_target_auth:def:1
Time2022-11-07T15:05:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82186-8

References:  1, 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10, 3.1.1, 3.4.5, CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, IA-2, AC-3, CM-6(a), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.PT-3, FIA_UAU.1, SRG-OS-000080-GPOS-00048, RHEL-08-010152, 1.4.3, SV-244523r743818_rule

Description
Emergency mode is intended as a system recovery method, providing a single user root access to the system during a failed boot sequence.

By default, Emergency mode is protected by requiring a password and is set in /usr/lib/systemd/system/emergency.service.
Rationale
This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password.
OVAL test results details

Tests that /usr/lib/systemd/systemd-sulogin-shell was not removed from the default systemd emergency.service to ensure that a password must be entered to access single user mode  oval:ssg-test_require_emergency_service:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/emergency.serviceExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency

Tests that the systemd emergency.service is in the emergency.target  oval:ssg-test_require_emergency_service_emergency_target:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/emergency.targetRequires=emergency.service

look for emergency.target in /etc/systemd/system  oval:ssg-test_no_custom_emergency_target:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_no_custom_emergency_target:obj:1 of type file_object
BehaviorsPathFilename
no value/etc/systemd/system^emergency.target$

look for emergency.service in /etc/systemd/system  oval:ssg-test_no_custom_emergency_service:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_no_custom_emergency_service:obj:1 of type file_object
BehaviorsPathFilename
no value/etc/systemd/system^emergency.service$
Require Authentication for Single User Modexccdf_org.ssgproject.content_rule_require_singleuser_auth mediumCCE-80855-0

Require Authentication for Single User Mode

Rule IDxccdf_org.ssgproject.content_rule_require_singleuser_auth
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-require_singleuser_auth:def:1
Time2022-11-07T15:05:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80855-0

References:  1, 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10, 3.1.1, 3.4.5, CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, IA-2, AC-3, CM-6(a), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.PT-3, FIA_UAU.1, SRG-OS-000080-GPOS-00048, RHEL-08-010151, 1.4.3, SV-230236r743928_rule

Description
Single-user mode is intended as a system recovery method, providing a single user root access to the system by providing a boot option at startup.

By default, single-user mode is protected by requiring a password and is set in /usr/lib/systemd/system/rescue.service.
Rationale
This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password.
OVAL test results details

Tests that /usr/lib/systemd/systemd-sulogin-shell was not removed from the default systemd rescue.service to ensure that a password must be entered to access single user mode  oval:ssg-test_require_rescue_service:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/rescue.serviceExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue
Set Existing Passwords Maximum Agexccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing mediumCCE-82473-0

Set Existing Passwords Maximum Age

Rule IDxccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_password_set_max_life_existing:def:1
Time2022-11-07T15:05:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82473-0

References:  CCI-000199, IA-5(f), IA-5(1)(d), CM-6(a), SRG-OS-000076-GPOS-00044, SRG-OS-000076-VMM-000430, RHEL-08-020210, 5.6.1.1, SV-230367r627750_rule

Description
Configure non-compliant accounts to enforce a 365-day maximum password lifetime restriction by running the following command:
$ sudo chage -M 365 USER
Rationale
Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the operating system passwords could be compromised.
OVAL test results details

Password maximum lifetime for existing accounts is at least the minimum.  oval:ssg-test_password_max_life_existing:tst:1  true

Following items have been found on the system:
UsernamePasswordChg lstChg allowChg reqExp warnExp inactExp dateFlagEncrypt method
games1836703657-1-118446744073709551615DES
operator1836703657-1-118446744073709551615DES
daemon1836703657-1-118446744073709551615DES
libstoragemgmt19051-1365-1-1-118446744073709551615DES
clevis19051-1365-1-1-118446744073709551615DES
unbound19051-1365-1-1-118446744073709551615DES
setroubleshoot19051-1365-1-1-118446744073709551615DES
cockpit-ws19051-1365-1-1-118446744073709551615DES
cockpit-wsinstance19051-1365-1-1-118446744073709551615DES
dbus19051-1365-1-1-118446744073709551615DES
sync1836703657-1-118446744073709551615DES
root14600-1365-1-1-118446744073709551615DES
nobody1836703657-1-118446744073709551615DES
ftp1836703657-1-118446744073709551615DES
systemd-coredump19051-1365-1-1-118446744073709551615DES
systemd-resolve19051-1365-1-1-118446744073709551615DES
tss19051-1365-1-1-118446744073709551615DES
polkitd19051-1365-1-1-118446744073709551615DES
bin1836703657-1-118446744073709551615DES
halt1836703657-1-118446744073709551615DES
adm1836703657-1-118446744073709551615DES
mail1836703657-1-118446744073709551615DES
shutdown1836703657-1-118446744073709551615DES
lp1836703657-1-118446744073709551615DES
sssd19051-1365-1-1-118446744073709551615DES
chrony19051-1365-1-1-118446744073709551615DES
sshd19051-1365-1-1-118446744073709551615DES
rngd19051-1365-1-1-118446744073709551615DES
tcpdump19051-1365-1-1-118446744073709551615DES
azureuser1930303657-1-118446744073709551615DES

Password maximum life entry is at least a defined minimum  oval:ssg-test_password_max_life_existing_minimum:tst:1  true

Following items have been found on the system:
UsernamePasswordChg lstChg allowChg reqExp warnExp inactExp dateFlagEncrypt method
games1836703657-1-118446744073709551615DES
operator1836703657-1-118446744073709551615DES
daemon1836703657-1-118446744073709551615DES
libstoragemgmt19051-1365-1-1-118446744073709551615DES
clevis19051-1365-1-1-118446744073709551615DES
unbound19051-1365-1-1-118446744073709551615DES
setroubleshoot19051-1365-1-1-118446744073709551615DES
cockpit-ws19051-1365-1-1-118446744073709551615DES
cockpit-wsinstance19051-1365-1-1-118446744073709551615DES
dbus19051-1365-1-1-118446744073709551615DES
sync1836703657-1-118446744073709551615DES
root14600-1365-1-1-118446744073709551615DES
nobody1836703657-1-118446744073709551615DES
ftp1836703657-1-118446744073709551615DES
systemd-coredump19051-1365-1-1-118446744073709551615DES
systemd-resolve19051-1365-1-1-118446744073709551615DES
tss19051-1365-1-1-118446744073709551615DES
polkitd19051-1365-1-1-118446744073709551615DES
bin1836703657-1-118446744073709551615DES
halt1836703657-1-118446744073709551615DES
adm1836703657-1-118446744073709551615DES
mail1836703657-1-118446744073709551615DES
shutdown1836703657-1-118446744073709551615DES
lp1836703657-1-118446744073709551615DES
sssd19051-1365-1-1-118446744073709551615DES
chrony19051-1365-1-1-118446744073709551615DES
sshd19051-1365-1-1-118446744073709551615DES
rngd19051-1365-1-1-118446744073709551615DES
tcpdump19051-1365-1-1-118446744073709551615DES
azureuser1930303657-1-118446744073709551615DES
Set Existing Passwords Minimum Agexccdf_org.ssgproject.content_rule_accounts_password_set_min_life_existing mediumCCE-82472-2

Set Existing Passwords Minimum Age

Rule IDxccdf_org.ssgproject.content_rule_accounts_password_set_min_life_existing
Result
fail
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_password_set_min_life_existing:def:1
Time2022-11-07T15:05:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82472-2

References:  CCI-000198, IA-5(f), IA-5(1)(d), CM-6(a), SRG-OS-000075-GPOS-00043, SRG-OS-000075-VMM000420, RHEL-08-020180, 5.6.1.2, SV-230364r627750_rule

Description
Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime by running the following command:
$ sudo chage -m 1 USER
Rationale
Enforcing a minimum password lifetime helps to prevent repeated password changes to defeat the password reuse or history enforcement requirement. If users are allowed to immediately and continually change their password, the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.

Complexity:low
Disruption:low
Reboot:false
Strategy:restrict

var_accounts_minimum_age_login_defs='7'


while IFS= read -r i; do
    passwd -n $var_accounts_minimum_age_login_defs $i
done <   <(awk -v var="$var_accounts_minimum_age_login_defs" -F: '$4 < var || $4 == "" {print $1}' /etc/shadow)
OVAL test results details

Password minimum lifetime for existing accounts is at least what is defined by policy.  oval:ssg-test_password_min_life_existing:tst:1  false

Following items have been found on the system:
UsernamePasswordChg lstChg allowChg reqExp warnExp inactExp dateFlagEncrypt method
games1836703657-1-118446744073709551615DES
operator1836703657-1-118446744073709551615DES
daemon1836703657-1-118446744073709551615DES
libstoragemgmt19051-1365-1-1-118446744073709551615DES
clevis19051-1365-1-1-118446744073709551615DES
unbound19051-1365-1-1-118446744073709551615DES
setroubleshoot19051-1365-1-1-118446744073709551615DES
cockpit-ws19051-1365-1-1-118446744073709551615DES
cockpit-wsinstance19051-1365-1-1-118446744073709551615DES
dbus19051-1365-1-1-118446744073709551615DES
sync1836703657-1-118446744073709551615DES
root14600-1365-1-1-118446744073709551615DES
nobody1836703657-1-118446744073709551615DES
ftp1836703657-1-118446744073709551615DES
systemd-coredump19051-1365-1-1-118446744073709551615DES
systemd-resolve19051-1365-1-1-118446744073709551615DES
tss19051-1365-1-1-118446744073709551615DES
polkitd19051-1365-1-1-118446744073709551615DES
bin1836703657-1-118446744073709551615DES
halt1836703657-1-118446744073709551615DES
adm1836703657-1-118446744073709551615DES
mail1836703657-1-118446744073709551615DES
shutdown1836703657-1-118446744073709551615DES
lp1836703657-1-118446744073709551615DES
sssd19051-1365-1-1-118446744073709551615DES
chrony19051-1365-1-1-118446744073709551615DES
sshd19051-1365-1-1-118446744073709551615DES
rngd19051-1365-1-1-118446744073709551615DES
tcpdump19051-1365-1-1-118446744073709551615DES
azureuser1930303657-1-118446744073709551615DES

Password minimum life entry is at mosta defined maximum  oval:ssg-test_password_min_life_existing_maximum:tst:1  true

Following items have been found on the system:
UsernamePasswordChg lstChg allowChg reqExp warnExp inactExp dateFlagEncrypt method
games1836703657-1-118446744073709551615DES
operator1836703657-1-118446744073709551615DES
daemon1836703657-1-118446744073709551615DES
libstoragemgmt19051-1365-1-1-118446744073709551615DES
clevis19051-1365-1-1-118446744073709551615DES
unbound19051-1365-1-1-118446744073709551615DES
setroubleshoot19051-1365-1-1-118446744073709551615DES
cockpit-ws19051-1365-1-1-118446744073709551615DES
cockpit-wsinstance19051-1365-1-1-118446744073709551615DES
dbus19051-1365-1-1-118446744073709551615DES
sync1836703657-1-118446744073709551615DES
root14600-1365-1-1-118446744073709551615DES
nobody1836703657-1-118446744073709551615DES
ftp1836703657-1-118446744073709551615DES
systemd-coredump19051-1365-1-1-118446744073709551615DES
systemd-resolve19051-1365-1-1-118446744073709551615DES
tss19051-1365-1-1-118446744073709551615DES
polkitd19051-1365-1-1-118446744073709551615DES
bin1836703657-1-118446744073709551615DES
halt1836703657-1-118446744073709551615DES
adm1836703657-1-118446744073709551615DES
mail1836703657-1-118446744073709551615DES
shutdown1836703657-1-118446744073709551615DES
lp1836703657-1-118446744073709551615DES
sssd19051-1365-1-1-118446744073709551615DES
chrony19051-1365-1-1-118446744073709551615DES
sshd19051-1365-1-1-118446744073709551615DES
rngd19051-1365-1-1-118446744073709551615DES
tcpdump19051-1365-1-1-118446744073709551615DES
azureuser1930303657-1-118446744073709551615DES
All GIDs referenced in /etc/passwd must be defined in /etc/groupxccdf_org.ssgproject.content_rule_gid_passwd_group_same lowCCE-80822-0

All GIDs referenced in /etc/passwd must be defined in /etc/group

Rule IDxccdf_org.ssgproject.content_rule_gid_passwd_group_same
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-gid_passwd_group_same:def:1
Time2022-11-07T15:05:07+00:00
Severitylow
Identifiers and References

Identifiers:  CCE-80822-0

References:  1, 12, 15, 16, 5, 5.5.2, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, CCI-000764, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, A.18.1.4, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, IA-2, CM-6(a), PR.AC-1, PR.AC-6, PR.AC-7, Req-8.5.a, SRG-OS-000104-GPOS-00051, 6.2.2

Description
Add a group to the system for each GID referenced without a corresponding group.
Rationale
If a user is assigned the Group Identifier (GID) of a group not existing on the system, and a group with the Group Identifier (GID) is subsequently created, the user may have unintended rights to any files associated with the group.
OVAL test results details

Verify all GIDs referenced in /etc/passwd are defined in /etc/group  oval:ssg-test_gid_passwd_group_same:tst:1  true

Following items have been found on the system:
PathContent
/etc/passwdroot:x:0:0:
/etc/passwdbin:x:1:1:
/etc/passwddaemon:x:2:2:
/etc/passwdadm:x:3:4:
/etc/passwdlp:x:4:7:
/etc/passwdsync:x:5:0:
/etc/passwdshutdown:x:6:0:
/etc/passwdhalt:x:7:0:
/etc/passwdmail:x:8:12:
/etc/passwdoperator:x:11:0:
/etc/passwdgames:x:12:100:
/etc/passwdftp:x:14:50:
/etc/passwdnobody:x:65534:65534:
/etc/passwddbus:x:81:81:
/etc/passwdsystemd-coredump:x:999:997:
/etc/passwdsystemd-resolve:x:193:193:
/etc/passwdtss:x:59:59:
/etc/passwdpolkitd:x:998:996:
/etc/passwdlibstoragemgmt:x:997:995:
/etc/passwdclevis:x:996:992:
/etc/passwdunbound:x:995:991:
/etc/passwdsetroubleshoot:x:994:990:
/etc/passwdcockpit-ws:x:993:989:
/etc/passwdcockpit-wsinstance:x:992:988:
/etc/passwdsssd:x:991:987:
/etc/passwdchrony:x:990:986:
/etc/passwdsshd:x:74:74:
/etc/passwdrngd:x:989:985:
/etc/passwdtcpdump:x:72:72:
/etc/passwdazureuser:x:1000:1000:
Ensure There Are No Accounts With Blank or Null Passwordsxccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow highCCE-85953-8

Ensure There Are No Accounts With Blank or Null Passwords

Rule IDxccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-no_empty_passwords_etc_shadow:def:1
Time2022-11-07T15:05:07+00:00
Severityhigh
Identifiers and References

Identifiers:  CCE-85953-8

References:  CCI-000366, CM-6(b), CM-6.1(iv), SRG-OS-000480-GPOS-00227, 6.2.1

Description
Check the "/etc/shadow" file for blank passwords with the following command:
$ sudo awk -F: '!$2 {print $1}' /etc/shadow
If the command returns any results, this is a finding. Configure all accounts on the system to have a password or lock the account with the following commands: Perform a password reset:
$ sudo passwd [username]
Lock an account:
$ sudo passwd -l [username]
Rationale
If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments.
Warnings
warning  Note that this rule is not applicable for systems running within a container. Having user with empty password within a container is not considered a risk, because it should not be possible to directly login into a container anyway.
OVAL test results details

make sure there aren't blank or null passwords in /etc/shadow  oval:ssg-test_no_empty_passwords_etc_shadow:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_no_empty_passwords_etc_shadow:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/shadow^[^:]+::.*$1
Verify No netrc Files Existxccdf_org.ssgproject.content_rule_no_netrc_files mediumCCE-83444-0

Verify No netrc Files Exist

Rule IDxccdf_org.ssgproject.content_rule_no_netrc_files
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-no_netrc_files:def:1
Time2022-11-07T15:05:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83444-0

References:  1, 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10, CCI-000196, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-003-8 R1.3, CIP-003-8 R3, CIP-003-8 R3.1, CIP-003-8 R3.2, CIP-003-8 R3.3, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, IA-5(h), IA-5(1)(c), CM-6(a), IA-5(7), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.PT-3, 6.2.13, 6.2.15

Description
The .netrc files contain login information used to auto-login into FTP servers and reside in the user's home directory. These files may contain unencrypted passwords to remote FTP servers making them susceptible to access by unauthorized users and should not be used. Any .netrc files should be removed.
Rationale
Unencrypted passwords for remote FTP servers may be stored in .netrc files.
OVAL test results details

look for .netrc in /home  oval:ssg-test_no_netrc_files_home:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_no_netrc_files_home:obj:1 of type file_object
BehaviorsPathFilename
no value/home^\.netrc$
Verify Only Root Has UID 0xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero highCCE-80649-7

Verify Only Root Has UID 0

Rule IDxccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_no_uid_except_zero:def:1
Time2022-11-07T15:05:07+00:00
Severityhigh
Identifiers and References

Identifiers:  CCE-80649-7

References:  1, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.10, 3.1.1, 3.1.5, CCI-000366, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, IA-2, AC-6(5), IA-4(b), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5, SRG-OS-000480-GPOS-00227, RHEL-08-040200, 6.2.8, SV-230534r627750_rule

Description
If any account other than root has a UID of 0, this misconfiguration should be investigated and the accounts other than root should be removed or have their UID changed.
If the account is associated with system commands or applications the UID should be changed to one greater than "0" but less than "1000." Otherwise assign a UID greater than "1000" that has not already been assigned.
Rationale
An account has root authority if it has a UID of 0. Multiple accounts with a UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner.
OVAL test results details

test that there are no accounts with UID 0 except root in the /etc/passwd file  oval:ssg-test_accounts_no_uid_except_root:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_no_uid_except_root:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/passwd^(?!root:)[^:]*:[^:]*:01
Verify Root Has A Primary GID 0xccdf_org.ssgproject.content_rule_accounts_root_gid_zero highCCE-86297-9

Verify Root Has A Primary GID 0

Rule IDxccdf_org.ssgproject.content_rule_accounts_root_gid_zero
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_root_gid_zero:def:1
Time2022-11-07T15:05:07+00:00
Severityhigh
Identifiers and References

Identifiers:  CCE-86297-9

References:  5.6.4

Description
The root user should have a primary group of 0.
Rationale
To help ensure that root-owned files are not inadvertently exposed to other users.
OVAL test results details

test that there are no accounts with UID 0 except root in the /etc/passwd file  oval:ssg-test_accounts_root_gid_zero:tst:1  true

Following items have been found on the system:
PathContent
/etc/passwdroot:x:0:0:root:/root:/bin/bash
Ensure that System Accounts Do Not Run a Shell Upon Loginxccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts mediumCCE-80843-6

Ensure that System Accounts Do Not Run a Shell Upon Login

Rule IDxccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-no_shelllogin_for_systemaccounts:def:1
Time2022-11-07T15:05:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80843-6

References:  1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS06.03, CCI-000366, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, 1491, A.12.4.1, A.12.4.3, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, AC-6, CM-6(a), CM-6(b), CM-6.1(iv), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, SRG-OS-000480-GPOS-00227, 5.6.2

Description
Some accounts are not associated with a human user of the system, and exist to perform some administrative function. Should an attacker be able to log into these accounts, they should not be granted access to a shell.

The login shell for each local account is stored in the last field of each line in /etc/passwd. System accounts are those user accounts with a user ID less than UID_MIN, where value of UID_MIN directive is set in /etc/login.defs configuration file. In the default configuration UID_MIN is set to 1000, thus system accounts are those user accounts with a user ID less than 1000. The user ID is stored in the third field. If any system account SYSACCT (other than root) has a login shell, disable it with the command:
$ sudo usermod -s /sbin/nologin SYSACCT
Rationale
Ensuring shells are not given to system accounts upon login makes it more difficult for attackers to make use of system accounts.
Warnings
warning  Do not perform the steps in this section on the root account. Doing so might cause the system to become inaccessible.
OVAL test results details

SYS_UID_MIN not defined in /etc/login.defs  oval:ssg-test_sys_uid_min_not_defined:tst:1  false

Following items have been found on the system:
PathContent
/etc/login.defs# # Please note that the parameters in this configuration file control the # behavior of the tools from the shadow-utils component. None of these # tools uses the PAM mechanism, and the utilities that use PAM (such as the # passwd command) should therefore be configured elsewhere. Refer to # /etc/pam.d/system-auth for more information. # # *REQUIRED* # Directory where mailboxes reside, _or_ name of file, relative to the # home directory. If you _do_ define both, MAIL_DIR takes precedence. # QMAIL_DIR is for Qmail # #QMAIL_DIR Maildir MAIL_DIR /var/spool/mail #MAIL_FILE .mail # Default initial "umask" value used by login(1) on non-PAM enabled systems. # Default "umask" value for pam_umask(8) on PAM enabled systems. # UMASK is also used by useradd(8) and newusers(8) to set the mode for new # home directories if HOME_MODE is not set. # 022 is the default value, but 027, or even 077, could be considered # for increased privacy. There is no One True Answer here: each sysadmin # must make up their mind. UMASK 027 027 027 027 022 # HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new # home directories. # If HOME_MODE is not set, the value of UMASK is used to create the mode. HOME_MODE 0700 # Password aging controls: # # PASS_MAX_DAYS Maximum number of days a password may be used. # PASS_MIN_DAYS Minimum number of days allowed between password changes. # PASS_MIN_LEN Minimum acceptable password length. # PASS_WARN_AGE Number of days warning given before a password expires. # PASS_MAX_DAYS 365 PASS_MIN_DAYS 7 PASS_MIN_LEN 5 PASS_WARN_AGE 7 # # Min/max values for automatic uid selection in useradd # UID_MIN 1000 UID_MAX 60000 # System accounts SYS_UID_MIN 201

SYS_UID_MAX not defined in /etc/login.defs  oval:ssg-test_sys_uid_max_not_defined:tst:1  false

Following items have been found on the system:
PathContent
/etc/login.defs# # Please note that the parameters in this configuration file control the # behavior of the tools from the shadow-utils component. None of these # tools uses the PAM mechanism, and the utilities that use PAM (such as the # passwd command) should therefore be configured elsewhere. Refer to # /etc/pam.d/system-auth for more information. # # *REQUIRED* # Directory where mailboxes reside, _or_ name of file, relative to the # home directory. If you _do_ define both, MAIL_DIR takes precedence. # QMAIL_DIR is for Qmail # #QMAIL_DIR Maildir MAIL_DIR /var/spool/mail #MAIL_FILE .mail # Default initial "umask" value used by login(1) on non-PAM enabled systems. # Default "umask" value for pam_umask(8) on PAM enabled systems. # UMASK is also used by useradd(8) and newusers(8) to set the mode for new # home directories if HOME_MODE is not set. # 022 is the default value, but 027, or even 077, could be considered # for increased privacy. There is no One True Answer here: each sysadmin # must make up their mind. UMASK 027 027 027 027 022 # HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new # home directories. # If HOME_MODE is not set, the value of UMASK is used to create the mode. HOME_MODE 0700 # Password aging controls: # # PASS_MAX_DAYS Maximum number of days a password may be used. # PASS_MIN_DAYS Minimum number of days allowed between password changes. # PASS_MIN_LEN Minimum acceptable password length. # PASS_WARN_AGE Number of days warning given before a password expires. # PASS_MAX_DAYS 365 PASS_MIN_DAYS 7 PASS_MIN_LEN 5 PASS_WARN_AGE 7 # # Min/max values for automatic uid selection in useradd # UID_MIN 1000 UID_MAX 60000 # System accounts SYS_UID_MIN 201 SYS_UID_MAX 999

<0, UID_MIN - 1> system UIDs having shell set  oval:ssg-test_shell_defined_default_uid_range:tst:1  true

Following items have been found on the system:
PathContent
/etc/passwdazureuser:x:1000:1000:Cloud User:/home/azureuser:/bin/bash

SYS_UID_MIN not defined in /etc/login.defs  oval:ssg-test_sys_uid_min_not_defined:tst:1  false

Following items have been found on the system:
PathContent
/etc/login.defs# # Please note that the parameters in this configuration file control the # behavior of the tools from the shadow-utils component. None of these # tools uses the PAM mechanism, and the utilities that use PAM (such as the # passwd command) should therefore be configured elsewhere. Refer to # /etc/pam.d/system-auth for more information. # # *REQUIRED* # Directory where mailboxes reside, _or_ name of file, relative to the # home directory. If you _do_ define both, MAIL_DIR takes precedence. # QMAIL_DIR is for Qmail # #QMAIL_DIR Maildir MAIL_DIR /var/spool/mail #MAIL_FILE .mail # Default initial "umask" value used by login(1) on non-PAM enabled systems. # Default "umask" value for pam_umask(8) on PAM enabled systems. # UMASK is also used by useradd(8) and newusers(8) to set the mode for new # home directories if HOME_MODE is not set. # 022 is the default value, but 027, or even 077, could be considered # for increased privacy. There is no One True Answer here: each sysadmin # must make up their mind. UMASK 027 027 027 027 022 # HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new # home directories. # If HOME_MODE is not set, the value of UMASK is used to create the mode. HOME_MODE 0700 # Password aging controls: # # PASS_MAX_DAYS Maximum number of days a password may be used. # PASS_MIN_DAYS Minimum number of days allowed between password changes. # PASS_MIN_LEN Minimum acceptable password length. # PASS_WARN_AGE Number of days warning given before a password expires. # PASS_MAX_DAYS 365 PASS_MIN_DAYS 7 PASS_MIN_LEN 5 PASS_WARN_AGE 7 # # Min/max values for automatic uid selection in useradd # UID_MIN 1000 UID_MAX 60000 # System accounts SYS_UID_MIN 201

SYS_UID_MAX not defined in /etc/login.defs  oval:ssg-test_sys_uid_max_not_defined:tst:1  false

Following items have been found on the system:
PathContent
/etc/login.defs# # Please note that the parameters in this configuration file control the # behavior of the tools from the shadow-utils component. None of these # tools uses the PAM mechanism, and the utilities that use PAM (such as the # passwd command) should therefore be configured elsewhere. Refer to # /etc/pam.d/system-auth for more information. # # *REQUIRED* # Directory where mailboxes reside, _or_ name of file, relative to the # home directory. If you _do_ define both, MAIL_DIR takes precedence. # QMAIL_DIR is for Qmail # #QMAIL_DIR Maildir MAIL_DIR /var/spool/mail #MAIL_FILE .mail # Default initial "umask" value used by login(1) on non-PAM enabled systems. # Default "umask" value for pam_umask(8) on PAM enabled systems. # UMASK is also used by useradd(8) and newusers(8) to set the mode for new # home directories if HOME_MODE is not set. # 022 is the default value, but 027, or even 077, could be considered # for increased privacy. There is no One True Answer here: each sysadmin # must make up their mind. UMASK 027 027 027 027 022 # HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new # home directories. # If HOME_MODE is not set, the value of UMASK is used to create the mode. HOME_MODE 0700 # Password aging controls: # # PASS_MAX_DAYS Maximum number of days a password may be used. # PASS_MIN_DAYS Minimum number of days allowed between password changes. # PASS_MIN_LEN Minimum acceptable password length. # PASS_WARN_AGE Number of days warning given before a password expires. # PASS_MAX_DAYS 365 PASS_MIN_DAYS 7 PASS_MIN_LEN 5 PASS_WARN_AGE 7 # # Min/max values for automatic uid selection in useradd # UID_MIN 1000 UID_MAX 60000 # System accounts SYS_UID_MIN 201 SYS_UID_MAX 999

<0, SYS_UID_MIN> system UIDs having shell set  oval:ssg-test_shell_defined_reserved_uid_range:tst:1  true

Following items have been found on the system:
PathContent
/etc/passwdazureuser:x:1000:1000:Cloud User:/home/azureuser:/bin/bash

<SYS_UID_MIN, SYS_UID_MAX> system UIDS having shell set  oval:ssg-test_shell_defined_dynalloc_uid_range:tst:1  true

Following items have been found on the system:
PathContent
/etc/passwdazureuser:x:1000:1000:Cloud User:/home/azureuser:/bin/bash
Enforce usage of pam_wheel for su authenticationxccdf_org.ssgproject.content_rule_use_pam_wheel_for_su mediumCCE-83318-6

Enforce usage of pam_wheel for su authentication

Rule IDxccdf_org.ssgproject.content_rule_use_pam_wheel_for_su
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-use_pam_wheel_for_su:def:1
Time2022-11-07T15:05:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83318-6

References:  FMT_SMF_EXT.1.1, SRG-OS-000373-GPOS-00156, SRG-OS-000312-GPOS-00123, 5.3.7

Description
To ensure that only users who are members of the wheel group can run commands with altered privileges through the su command, make sure that the following line exists in the file /etc/pam.d/su:
auth             required        pam_wheel.so use_uid
Rationale
The su program allows to run commands with a substitute user and group ID. It is commonly used to run commands as the root user. Limiting access to such command is considered a good security practice.
OVAL test results details

check /etc/pam.d/su for correct setting  oval:ssg-test_use_pam_wheel_for_su:tst:1  true

Following items have been found on the system:
PathContent
/etc/pam.d/suauth required pam_wheel.so use_uid
Ensure All Groups on the System Have Unique Group IDxccdf_org.ssgproject.content_rule_group_unique_id mediumCCE-86201-1

Ensure All Groups on the System Have Unique Group ID

Rule IDxccdf_org.ssgproject.content_rule_group_unique_id
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-group_unique_id:def:1
Time2022-11-07T15:05:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-86201-1

References:  CCI-000764, SRG-OS-000104-GPOS-00051, 6.2.4

Description
Change the group name or delete groups, so each has a unique id.
Rationale
To assure accountability and prevent unauthenticated access, groups must be identified uniquely to prevent potential misuse and compromise of the system.
Warnings
warning  Automatic remediation of this control is not available due to the unique requirements of each system.
OVAL test results details

There should not exist duplicate group ids in /etc/passwd  oval:ssg-test_etc_group_no_duplicate_group_ids:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-variable_count_of_all_group_ids:var:150
Ensure All Groups on the System Have Unique Group Namesxccdf_org.ssgproject.content_rule_group_unique_name mediumCCE-86328-2

Ensure All Groups on the System Have Unique Group Names

Rule IDxccdf_org.ssgproject.content_rule_group_unique_name
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-group_unique_name:def:1
Time2022-11-07T15:05:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-86328-2

References:  6.2.6

Description
Change the group name or delete groups, so each has a unique name.
Rationale
To assure accountability and prevent unauthenticated access, groups must be identified uniquely to prevent potential misuse and compromise of the system.
Warnings
warning  Automatic remediation of this control is not available due to the unique requirements of each system.
OVAL test results details

There should not exist duplicate group names in /etc/passwd  oval:ssg-test_etc_group_no_duplicate_group_names:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-variable_count_of_all_group_names:var:150
Ensure that Root's Path Does Not Include World or Group-Writable Directoriesxccdf_org.ssgproject.content_rule_accounts_root_path_dirs_no_write mediumCCE-80672-9

Ensure that Root's Path Does Not Include World or Group-Writable Directories

Rule IDxccdf_org.ssgproject.content_rule_accounts_root_path_dirs_no_write
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_root_path_dirs_no_write:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80672-9

References:  11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, CCI-000366, 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(a), CM-6(a), PR.IP-1, 6.2.7

Description
For each element in root's path, run:
# ls -ld DIR
and ensure that write permissions are disabled for group and other.
Rationale
Such entries increase the risk that root could execute code provided by unprivileged users, and potentially malicious code.
OVAL test results details

Check if there aren't directories in root's path having write permission set for group or other  oval:ssg-test_accounts_root_path_dirs_no_group_other_write:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_root_path_dirs_no_group_other_write:obj:1 of type file_object
PathFilenameFilterFilter
/sbin
/bin
/usr/sbin
/usr/bin
no valueoval:ssg-state_accounts_root_path_dirs_wrong_perms:ste:1oval:ssg-state_accounts_root_path_dirs_symlink:ste:1
Ensure that Root's Path Does Not Include Relative Paths or Null Directoriesxccdf_org.ssgproject.content_rule_root_path_no_dot unknownCCE-85914-0

Ensure that Root's Path Does Not Include Relative Paths or Null Directories

Rule IDxccdf_org.ssgproject.content_rule_root_path_no_dot
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-root_path_no_dot:def:1
Time2022-11-07T15:05:18+00:00
Severityunknown
Identifiers and References

Identifiers:  CCE-85914-0

References:  11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, CCI-000366, 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CM-6(a), CM-6(a), PR.IP-1, 6.2.7

Description
Ensure that none of the directories in root's path is equal to a single . character, or that it contains any instances that lead to relative path traversal, such as .. or beginning a path without the slash (/) character. Also ensure that there are no "empty" elements in the path, such as in these examples:
PATH=:/bin
PATH=/bin:
PATH=/bin::/sbin
These empty elements have the same effect as a single . character.
Rationale
Including these entries increases the risk that root could execute code from an untrusted location.
OVAL test results details

environment variable PATH starts with : or .  oval:ssg-test_env_var_begins:tst:1  true

Following items have been found on the system:
PidNameValue
509566PATH/sbin:/bin:/usr/sbin:/usr/bin

environment variable PATH doesn't contain : twice in a row  oval:ssg-test_env_var_contains_doublecolon:tst:1  true

Following items have been found on the system:
PidNameValue
509566PATH/sbin:/bin:/usr/sbin:/usr/bin

environment variable PATH doesn't contain . twice in a row  oval:ssg-test_env_var_contains_doubleperiod:tst:1  true

Following items have been found on the system:
PidNameValue
509566PATH/sbin:/bin:/usr/sbin:/usr/bin

environment variable PATH ends with : or .  oval:ssg-test_env_var_ends:tst:1  true

Following items have been found on the system:
PidNameValue
509566PATH/sbin:/bin:/usr/sbin:/usr/bin

environment variable PATH starts with an absolute path /  oval:ssg-test_env_var_begins_slash:tst:1  true

Following items have been found on the system:
PidNameValue
509566PATH/sbin:/bin:/usr/sbin:/usr/bin

environment variable PATH contains relative paths  oval:ssg-test_env_var_contains_relative_path:tst:1  true

Following items have been found on the system:
PidNameValue
509566PATH/sbin:/bin:/usr/sbin:/usr/bin
Ensure the Default Bash Umask is Set Correctlyxccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc mediumCCE-81036-6

Ensure the Default Bash Umask is Set Correctly

Rule IDxccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_umask_etc_bashrc:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-81036-6

References:  BP28(R35), 18, APO13.01, BAI03.01, BAI03.02, BAI03.03, CCI-000366, 4.3.4.3.3, A.14.1.1, A.14.2.1, A.14.2.5, A.6.1.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-6(1), CM-6(a), PR.IP-2, SRG-OS-000480-GPOS-00228, SRG-OS-000480-GPOS-00227, RHEL-08-020353, 5.6.5, SV-230385r792902_rule

Description
To ensure the default umask for users of the Bash shell is set properly, add or correct the umask setting in /etc/bashrc to read as follows:
umask 027
Rationale
The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users.
OVAL test results details

Verify the existence of var_accounts_user_umask_as_number variable  oval:ssg-test_existence_of_var_accounts_user_umask_as_number_variable:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-var_accounts_user_umask_umask_as_number:var:123

Test the retrieved /etc/bashrc umask value(s) match the var_accounts_user_umask requirement  oval:ssg-tst_accounts_umask_etc_bashrc:tst:1  true

Following items have been found on the system:
Var refValueValueValueValueValueValueValueValueValueValueValueValueValueValueValueValueValueValueValueValueValueValueValueValueValueValueValue
oval:ssg-var_etc_bashrc_umask_as_number:var:1232323232323232323232323232323232323232323232323232323
Ensure the Default Umask is Set Correctly in /etc/profilexccdf_org.ssgproject.content_rule_accounts_umask_etc_profile mediumCCE-81035-8

Ensure the Default Umask is Set Correctly in /etc/profile

Rule IDxccdf_org.ssgproject.content_rule_accounts_umask_etc_profile
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_umask_etc_profile:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-81035-8

References:  BP28(R35), 18, APO13.01, BAI03.01, BAI03.02, BAI03.03, CCI-000366, 4.3.4.3.3, A.14.1.1, A.14.2.1, A.14.2.5, A.6.1.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-6(1), CM-6(a), PR.IP-2, SRG-OS-000480-GPOS-00228, SRG-OS-000480-GPOS-00227, RHEL-08-020353, 5.6.5, SV-230385r792902_rule

Description
To ensure the default umask controlled by /etc/profile is set properly, add or correct the umask setting in /etc/profile to read as follows:
umask 027
Rationale
The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users.
OVAL test results details

Verify the existence of var_accounts_user_umask_as_number variable  oval:ssg-test_existence_of_var_accounts_user_umask_as_number_variable:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-var_accounts_user_umask_umask_as_number:var:123

Test the retrieved /etc/profile umask value(s) match the var_accounts_user_umask requirement  oval:ssg-tst_accounts_umask_etc_profile:tst:1  true

Following items have been found on the system:
Var refValueValueValueValueValueValueValueValue
oval:ssg-var_etc_profile_umask_as_number:var:12323232323232323
Set Interactive Session Timeoutxccdf_org.ssgproject.content_rule_accounts_tmout mediumCCE-80673-7

Set Interactive Session Timeout

Rule IDxccdf_org.ssgproject.content_rule_accounts_tmout
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_tmout:def:1
Time2022-11-07T15:05:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80673-7

References:  BP28(R29), 1, 12, 15, 16, DSS05.04, DSS05.10, DSS06.10, 3.1.11, CCI-000057, CCI-001133, CCI-002361, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, SR 1.1, SR 1.10, SR 1.2, SR 1.5, SR 1.7, SR 1.8, SR 1.9, A.18.1.4, A.9.2.1, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3, CIP-004-6 R2.2.3, CIP-007-3 R5.1, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, AC-12, SC-10, AC-2(5), CM-6(a), PR.AC-7, FMT_MOF_EXT.1, SRG-OS-000163-GPOS-00072, SRG-OS-000029-GPOS-00010, SRG-OS-000163-VMM-000700, SRG-OS-000279-VMM-001010, 5.6.3

Description
Setting the TMOUT option in /etc/profile ensures that all user sessions will terminate based on inactivity. The value of TMOUT should be exported and read only. The TMOUT setting in a file loaded by /etc/profile, e.g. /etc/profile.d/tmout.sh should read as follows:
declare -xr TMOUT=900
Rationale
Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been left unattended.
OVAL test results details

TMOUT in /etc/profile  oval:ssg-test_etc_profile_tmout:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_etc_profile_tmout:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/profile^[\s]*declare[\s]+-xr[\s]+TMOUT=([\w$]+).*$1

TMOUT in /etc/profile.d/*.sh  oval:ssg-test_etc_profiled_tmout:tst:1  true

Following items have been found on the system:
PathContent
/etc/profile.d/tmout.shdeclare -xr TMOUT=900
User Initialization Files Must Not Run World-Writable Programsxccdf_org.ssgproject.content_rule_accounts_user_dot_no_world_writable_programs mediumCCE-84039-7

User Initialization Files Must Not Run World-Writable Programs

Rule IDxccdf_org.ssgproject.content_rule_accounts_user_dot_no_world_writable_programs
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_user_dot_no_world_writable_programs:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-84039-7

References:  CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010660, 6.2.12, SV-230309r627750_rule

Description
Set the mode on files being executed by the user initialization files with the following command:
$ sudo chmod o-w FILE
Rationale
If user start-up files execute world-writable programs, especially in unprotected directories, they could be maliciously modified to destroy user files or otherwise compromise the system at the user level. If the system is compromised at the user level, it is easier to elevate privileges to eventually compromise the system at the root and network level.
OVAL test results details

Init files do not execute world-writable programs  oval:ssg-test_accounts_user_dot_no_world_writable_programs:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_accounts_user_dot_no_world_writable_programs_init_files:obj:1 of type textfilecontent54_object
BehaviorsPathFilenamePatternInstance
^[^#]*/sys/fs/selinux/validatetrans
^[^#]*/proc/sys/kernel/ns_last_pid
^[^#]*/proc/2/task/2/attr/current
^[^#]*/proc/1/task/1/attr/current
^[^#]*/proc/1/task/1/attr/keycreate
^[^#]*/proc/1/attr/current
^[^#]*/proc/1/attr/fscreate
^[^#]*/proc/2/attr/exec
^[^#]*/proc/1/task/1/attr/sockcreate
^[^#]*/proc/1/attr/keycreate
^[^#]*/proc/1/task/1/attr/exec
^[^#]*/proc/1/task/1/attr/fscreate
^[^#]*/proc/1/attr/exec
^[^#]*/proc/1/timerslack_ns
^[^#]*/proc/1/attr/sockcreate
^[^#]*/proc/2/task/2/attr/keycreate
^[^#]*/proc/2/task/2/attr/sockcreate
^[^#]*/proc/2/attr/current
^[^#]*/proc/2/attr/keycreate
^[^#]*/proc/2/timerslack_ns
^[^#]*/proc/2/attr/sockcreate
^[^#]*/proc/3/attr/fscreate
^[^#]*/proc/2/task/2/attr/exec
^[^#]*/proc/2/task/2/attr/fscreate
^[^#]*/proc/2/attr/fscreate
^[^#]*/proc/3/task/3/attr/exec
^[^#]*/proc/3/task/3/attr/keycreate
^[^#]*/proc/3/task/3/attr/sockcreate
^[^#]*/proc/3/attr/current
^[^#]*/proc/3/attr/exec
^[^#]*/proc/4/attr/fscreate
^[^#]*/proc/3/timerslack_ns
^[^#]*/proc/3/attr/sockcreate
^[^#]*/proc/4/task/4/attr/current
^[^#]*/proc/3/task/3/attr/current
^[^#]*/proc/3/task/3/attr/fscreate
^[^#]*/proc/3/attr/keycreate
^[^#]*/proc/4/task/4/attr/keycreate
^[^#]*/proc/4/task/4/attr/sockcreate
^[^#]*/proc/4/attr/exec
^[^#]*/proc/4/attr/current
^[^#]*/proc/4/timerslack_ns
^[^#]*/proc/4/attr/sockcreate
^[^#]*/proc/6/task/6/attr/current
^[^#]*/proc/6/attr/fscreate
^[^#]*/proc/4/task/4/attr/exec
^[^#]*/proc/4/task/4/attr/fscreate
^[^#]*/proc/4/attr/keycreate
^[^#]*/proc/6/task/6/attr/fscreate
^[^#]*/proc/6/task/6/attr/exec
^[^#]*/proc/6/task/6/attr/keycreate
^[^#]*/proc/6/task/6/attr/sockcreate
^[^#]*/proc/6/attr/current
^[^#]*/proc/6/attr/exec
^[^#]*/proc/6/timerslack_ns
^[^#]*/proc/6/attr/sockcreate
^[^#]*/proc/9/attr/fscreate
^[^#]*/proc/6/attr/keycreate
^[^#]*/proc/9/attr/exec
^[^#]*/proc/9/task/9/attr/current
^[^#]*/proc/9/task/9/attr/keycreate
^[^#]*/proc/9/task/9/attr/sockcreate
^[^#]*/proc/9/attr/current
^[^#]*/proc/9/timerslack_ns
^[^#]*/proc/9/attr/sockcreate
^[^#]*/proc/10/attr/keycreate
^[^#]*/proc/9/task/9/attr/exec
^[^#]*/proc/9/task/9/attr/fscreate
^[^#]*/proc/9/attr/keycreate
^[^#]*/proc/10/attr/exec
^[^#]*/proc/10/task/10/attr/current
^[^#]*/proc/10/attr/current
^[^#]*/proc/10/task/10/attr/sockcreate
^[^#]*/proc/10/attr/fscreate
^[^#]*/proc/10/timerslack_ns
^[^#]*/proc/10/attr/sockcreate
^[^#]*/proc/11/attr/fscreate
^[^#]*/proc/11/timerslack_ns
^[^#]*/proc/10/task/10/attr/exec
^[^#]*/proc/10/task/10/attr/fscreate
^[^#]*/proc/10/task/10/attr/keycreate
^[^#]*/proc/11/task/11/attr/current
^[^#]*/proc/11/task/11/attr/keycreate
^[^#]*/proc/11/task/11/attr/sockcreate
^[^#]*/proc/11/attr/exec
^[^#]*/proc/11/task/11/attr/fscreate
^[^#]*/proc/11/attr/current
^[^#]*/proc/12/attr/keycreate
^[^#]*/proc/11/attr/sockcreate
^[^#]*/proc/11/task/11/attr/exec
^[^#]*/proc/11/attr/keycreate
^[^#]*/proc/12/attr/fscreate
^[^#]*/proc/12/task/12/attr/current
^[^#]*/proc/12/task/12/attr/keycreate
^[^#]*/proc/12/task/12/attr/sockcreate
^[^#]*/proc/12/attr/exec
^[^#]*/proc/12/attr/current
^[^#]*/proc/13/attr/exec
^[^#]*/proc/12/task/12/attr/exec
^[^#]*/proc/12/task/12/attr/fscreate
^[^#]*/proc/12/timerslack_ns
^[^#]*/proc/12/attr/sockcreate
^[^#]*/proc/13/task/13/attr/current
^[^#]*/proc/13/task/13/attr/keycreate
^[^#]*/proc/13/attr/current
^[^#]*/proc/13/task/13/attr/sockcreate
^[^#]*/proc/13/attr/fscreate
^[^#]*/proc/13/timerslack_ns
^[^#]*/proc/13/attr/sockcreate
^[^#]*/proc/14/timerslack_ns
^[^#]*/proc/14/attr/current
^[^#]*/proc/13/task/13/attr/fscreate
^[^#]*/proc/13/task/13/attr/exec
^[^#]*/proc/13/attr/keycreate
^[^#]*/proc/14/task/14/attr/current
^[^#]*/proc/14/task/14/attr/keycreate
^[^#]*/proc/14/task/14/attr/sockcreate
^[^#]*/proc/14/attr/fscreate
^[^#]*/proc/14/attr/exec
^[^#]*/proc/14/attr/sockcreate
^[^#]*/proc/15/attr/fscreate
^[^#]*/proc/15/attr/exec
^[^#]*/proc/14/task/14/attr/fscreate
^[^#]*/proc/14/task/14/attr/exec
^[^#]*/proc/14/attr/keycreate
^[^#]*/proc/15/task/15/attr/current
^[^#]*/proc/15/task/15/attr/keycreate
^[^#]*/proc/15/task/15/attr/sockcreate
^[^#]*/proc/15/attr/current
^[^#]*/proc/15/timerslack_ns
^[^#]*/proc/15/attr/sockcreate
^[^#]*/proc/15/task/15/attr/fscreate
^[^#]*/proc/15/task/15/attr/exec
^[^#]*/proc/15/attr/keycreate
^[^#]*/proc/16/task/16/attr/current
^[^#]*/proc/16/task/16/attr/keycreate
^[^#]*/proc/16/task/16/attr/sockcreate
^[^#]*/proc/16/attr/fscreate
^[^#]*/proc/16/attr/keycreate
^[^#]*/proc/16/timerslack_ns
^[^#]*/proc/16/attr/sockcreate
^[^#]*/proc/16/attr/exec
^[^#]*/proc/16/attr/current
^[^#]*/proc/17/attr/fscreate
^[^#]*/proc/16/task/16/attr/fscreate
^[^#]*/proc/16/task/16/attr/exec
^[^#]*/proc/17/attr/current
^[^#]*/proc/17/task/17/attr/current
^[^#]*/proc/17/task/17/attr/keycreate
^[^#]*/proc/17/task/17/attr/sockcreate
^[^#]*/proc/17/attr/exec
^[^#]*/proc/17/timerslack_ns
^[^#]*/proc/17/attr/sockcreate
^[^#]*/proc/18/attr/keycreate
^[^#]*/proc/17/task/17/attr/fscreate
^[^#]*/proc/17/task/17/attr/exec
^[^#]*/proc/17/attr/keycreate
^[^#]*/proc/18/task/18/attr/keycreate
^[^#]*/proc/18/task/18/attr/sockcreate
^[^#]*/proc/18/attr/current
^[^#]*/proc/18/task/18/attr/current
^[^#]*/proc/18/attr/fscreate
^[^#]*/proc/18/attr/exec
^[^#]*/proc/20/attr/exec
^[^#]*/proc/18/task/18/attr/exec
^[^#]*/proc/18/task/18/attr/fscreate
^[^#]*/proc/18/timerslack_ns
^[^#]*/proc/18/attr/sockcreate
^[^#]*/proc/20/attr/fscreate
^[^#]*/proc/20/task/20/attr/fscreate
^[^#]*/proc/20/task/20/attr/keycreate
^[^#]*/proc/20/task/20/attr/sockcreate
^[^#]*/proc/20/attr/current
^[^#]*/proc/20/task/20/attr/current
^[^#]*/proc/23/attr/keycreate
^[^#]*/proc/20/timerslack_ns
^[^#]*/proc/20/attr/sockcreate
^[^#]*/proc/20/task/20/attr/exec
^[^#]*/proc/20/attr/keycreate
^[^#]*/proc/23/task/23/attr/current
^[^#]*/proc/23/task/23/attr/keycreate
^[^#]*/proc/23/task/23/attr/sockcreate
^[^#]*/proc/23/attr/exec
^[^#]*/proc/23/attr/current
^[^#]*/proc/23/attr/fscreate
^[^#]*/proc/23/task/23/attr/fscreate
^[^#]*/proc/23/task/23/attr/exec
^[^#]*/proc/23/timerslack_ns
^[^#]*/proc/23/attr/sockcreate
^[^#]*/proc/24/task/24/attr/keycreate
^[^#]*/proc/24/attr/current
^[^#]*/proc/24/task/24/attr/sockcreate
^[^#]*/proc/24/task/24/attr/current
^[^#]*/proc/24/attr/exec
^[^#]*/proc/24/attr/fscreate
^[^#]*/proc/24/attr/sockcreate
^[^#]*/proc/24/timerslack_ns
^[^#]*/proc/25/attr/fscreate
^[^#]*/proc/25/timerslack_ns
^[^#]*/proc/24/task/24/attr/exec
^[^#]*/proc/24/task/24/attr/fscreate
^[^#]*/proc/24/attr/keycreate
^[^#]*/proc/25/attr/exec
^[^#]*/proc/25/task/25/attr/current
^[^#]*/proc/25/task/25/attr/fscreate
^[^#]*/proc/25/task/25/attr/keycreate
^[^#]*/proc/25/task/25/attr/sockcreate
^[^#]*/proc/25/attr/current
^[^#]*/proc/25/attr/sockcreate
^[^#]*/proc/27/timerslack_ns
^[^#]*/proc/27/attr/current
^[^#]*/proc/25/task/25/attr/exec
^[^#]*/proc/25/attr/keycreate
^[^#]*/proc/27/task/27/attr/current
^[^#]*/proc/27/task/27/attr/sockcreate
^[^#]*/proc/27/attr/exec
^[^#]*/proc/27/attr/fscreate
^[^#]*/proc/27/task/27/attr/fscreate
^[^#]*/proc/27/attr/sockcreate
^[^#]*/proc/28/attr/fscreate
^[^#]*/proc/28/timerslack_ns
^[^#]*/proc/27/task/27/attr/exec
^[^#]*/proc/27/task/27/attr/keycreate
^[^#]*/proc/27/attr/keycreate
^[^#]*/proc/28/task/28/attr/fscreate
^[^#]*/proc/28/task/28/attr/keycreate
^[^#]*/proc/28/task/28/attr/sockcreate
^[^#]*/proc/28/attr/current
^[^#]*/proc/28/attr/exec
^[^#]*/proc/28/task/28/attr/current
^[^#]*/proc/28/attr/sockcreate
^[^#]*/proc/29/attr/keycreate
^[^#]*/proc/29/timerslack_ns
^[^#]*/proc/28/task/28/attr/exec
^[^#]*/proc/28/attr/keycreate
^[^#]*/proc/29/task/29/attr/current
^[^#]*/proc/29/task/29/attr/keycreate
^[^#]*/proc/29/task/29/attr/sockcreate
^[^#]*/proc/29/attr/current
^[^#]*/proc/29/attr/exec
^[^#]*/proc/29/attr/fscreate
^[^#]*/proc/30/attr/keycreate
^[^#]*/proc/29/task/29/attr/fscreate
^[^#]*/proc/29/task/29/attr/exec
^[^#]*/proc/29/attr/sockcreate
^[^#]*/proc/30/task/30/attr/keycreate
^[^#]*/proc/30/task/30/attr/sockcreate
^[^#]*/proc/30/attr/exec
^[^#]*/proc/30/task/30/attr/current
^[^#]*/proc/30/attr/current
^[^#]*/proc/30/attr/fscreate
^[^#]*/proc/30/task/30/attr/exec
^[^#]*/proc/30/task/30/attr/fscreate
^[^#]*/proc/30/timerslack_ns
^[^#]*/proc/30/attr/sockcreate
^[^#]*/proc/31/attr/fscreate
^[^#]*/proc/31/task/31/attr/current
^[^#]*/proc/31/task/31/attr/keycreate
^[^#]*/proc/31/task/31/attr/sockcreate
^[^#]*/proc/31/attr/exec
^[^#]*/proc/31/attr/current
^[^#]*/proc/31/timerslack_ns
^[^#]*/proc/31/attr/sockcreate
^[^#]*/proc/32/attr/keycreate
^[^#]*/proc/32/timerslack_ns
^[^#]*/proc/31/task/31/attr/fscreate
^[^#]*/proc/31/task/31/attr/exec
^[^#]*/proc/31/attr/keycreate
^[^#]*/proc/32/attr/fscreate
^[^#]*/proc/32/task/32/attr/fscreate
^[^#]*/proc/32/attr/current
^[^#]*/proc/32/task/32/attr/sockcreate
^[^#]*/proc/32/task/32/attr/current
^[^#]*/proc/32/attr/exec
^[^#]*/proc/33/timerslack_ns
^[^#]*/proc/33/attr/exec
^[^#]*/proc/32/task/32/attr/exec
^[^#]*/proc/32/task/32/attr/keycreate
^[^#]*/proc/32/attr/sockcreate
^[^#]*/proc/33/attr/fscreate
^[^#]*/proc/33/task/33/attr/current
^[^#]*/proc/33/task/33/attr/keycreate
^[^#]*/proc/33/task/33/attr/sockcreate
^[^#]*/proc/33/attr/current
^[^#]*/proc/34/attr/keycreate
^[^#]*/proc/33/attr/sockcreate
^[^#]*/proc/34/task/34/attr/current
^[^#]*/proc/34/attr/exec
^[^#]*/proc/33/task/33/attr/fscreate
^[^#]*/proc/33/task/33/attr/exec
^[^#]*/proc/33/attr/keycreate
^[^#]*/proc/34/task/34/attr/keycreate
^[^#]*/proc/34/task/34/attr/sockcreate
^[^#]*/proc/34/attr/fscreate
^[^#]*/proc/35/attr/keycreate
^[^#]*/proc/35/timerslack_ns
^[^#]*/proc/34/task/34/attr/fscreate
^[^#]*/proc/34/task/34/attr/exec
^[^#]*/proc/34/attr/current
^[^#]*/proc/34/timerslack_ns
^[^#]*/proc/34/attr/sockcreate
^[^#]*/proc/35/task/35/attr/fscreate
^[^#]*/proc/35/task/35/attr/keycreate
^[^#]*/proc/35/task/35/attr/sockcreate
^[^#]*/proc/35/attr/current
^[^#]*/proc/35/task/35/attr/current
^[^#]*/proc/35/attr/exec
^[^#]*/proc/35/attr/fscreate
^[^#]*/proc/36/attr/keycreate
^[^#]*/proc/35/attr/sockcreate
^[^#]*/proc/36/attr/current
^[^#]*/proc/35/task/35/attr/exec
^[^#]*/proc/36/attr/fscreate
^[^#]*/proc/36/task/36/attr/current
^[^#]*/proc/36/task/36/attr/keycreate
^[^#]*/proc/36/task/36/attr/sockcreate
^[^#]*/proc/36/attr/exec
^[^#]*/proc/37/attr/fscreate
^[^#]*/proc/37/timerslack_ns
^[^#]*/proc/37/attr/exec
^[^#]*/proc/36/task/36/attr/fscreate
^[^#]*/proc/36/task/36/attr/exec
^[^#]*/proc/36/timerslack_ns
^[^#]*/proc/36/attr/sockcreate
^[^#]*/proc/37/task/37/attr/fscreate
^[^#]*/proc/37/task/37/attr/keycreate
^[^#]*/proc/37/task/37/attr/sockcreate
^[^#]*/proc/37/task/37/attr/current
^[^#]*/proc/37/attr/current
^[^#]*/proc/37/attr/sockcreate
^[^#]*/proc/38/timerslack_ns
^[^#]*/proc/37/task/37/attr/exec
^[^#]*/proc/37/attr/keycreate
^[^#]*/proc/38/attr/exec
^[^#]*/proc/38/task/38/attr/current
^[^#]*/proc/38/task/38/attr/keycreate
^[^#]*/proc/38/attr/current
^[^#]*/proc/38/task/38/attr/sockcreate
^[^#]*/proc/38/attr/fscreate
^[^#]*/proc/38/attr/sockcreate
^[^#]*/proc/39/attr/fscreate
^[^#]*/proc/38/task/38/attr/fscreate
^[^#]*/proc/38/task/38/attr/exec
^[^#]*/proc/38/attr/keycreate
^[^#]*/proc/39/task/39/attr/current
^[^#]*/proc/39/task/39/attr/keycreate
^[^#]*/proc/39/task/39/attr/sockcreate
^[^#]*/proc/39/attr/exec
^[^#]*/proc/39/attr/current
^[^#]*/proc/41/attr/exec
^[^#]*/proc/39/timerslack_ns
^[^#]*/proc/39/attr/sockcreate
^[^#]*/proc/40/attr/fscreate
^[^#]*/proc/40/timerslack_ns
^[^#]*/proc/39/task/39/attr/fscreate
^[^#]*/proc/39/task/39/attr/exec
^[^#]*/proc/39/attr/keycreate
^[^#]*/proc/40/task/40/attr/current
^[^#]*/proc/40/task/40/attr/keycreate
^[^#]*/proc/40/attr/current
^[^#]*/proc/40/task/40/attr/sockcreate
^[^#]*/proc/40/attr/exec
^[^#]*/proc/40/attr/sockcreate
^[^#]*/proc/40/task/40/attr/fscreate
^[^#]*/proc/40/task/40/attr/exec
^[^#]*/proc/40/attr/keycreate
^[^#]*/proc/41/task/41/attr/current
^[^#]*/proc/41/task/41/attr/keycreate
^[^#]*/proc/41/attr/current
^[^#]*/proc/41/task/41/attr/sockcreate
^[^#]*/proc/41/attr/fscreate
^[^#]*/proc/62/attr/exec
^[^#]*/proc/41/task/41/attr/fscreate
^[^#]*/proc/41/task/41/attr/exec
^[^#]*/proc/41/attr/keycreate
^[^#]*/proc/41/timerslack_ns
^[^#]*/proc/41/attr/sockcreate
^[^#]*/proc/62/attr/fscreate
^[^#]*/proc/62/task/62/attr/fscreate
^[^#]*/proc/62/task/62/attr/keycreate
^[^#]*/proc/62/task/62/attr/sockcreate
^[^#]*/proc/62/attr/current
^[^#]*/proc/62/task/62/attr/current
^[^#]*/proc/62/timerslack_ns
^[^#]*/proc/62/attr/sockcreate
^[^#]*/proc/155/task/155/attr/current
^[^#]*/proc/62/task/62/attr/exec
^[^#]*/proc/62/attr/keycreate
^[^#]*/proc/155/attr/fscreate
^[^#]*/proc/155/task/155/attr/keycreate
^[^#]*/proc/155/task/155/attr/sockcreate
^[^#]*/proc/155/attr/current
^[^#]*/proc/155/attr/exec
^[^#]*/proc/155/timerslack_ns
^[^#]*/proc/155/attr/sockcreate
^[^#]*/proc/155/task/155/attr/fscreate
^[^#]*/proc/155/task/155/attr/exec
^[^#]*/proc/155/attr/keycreate
^[^#]*/proc/156/task/156/attr/current
^[^#]*/proc/156/task/156/attr/keycreate
^[^#]*/proc/156/task/156/attr/sockcreate
^[^#]*/proc/156/attr/current
^[^#]*/proc/156/attr/exec
^[^#]*/proc/156/attr/fscreate
^[^#]*/proc/156/attr/sockcreate
^[^#]*/proc/156/timerslack_ns
^[^#]*/proc/157/task/157/attr/current
^[^#]*/proc/156/task/156/attr/exec
^[^#]*/proc/156/task/156/attr/fscreate
^[^#]*/proc/156/attr/keycreate
^[^#]*/proc/157/task/157/attr/fscreate
^[^#]*/proc/157/task/157/attr/keycreate
^[^#]*/proc/157/task/157/attr/sockcreate
^[^#]*/proc/157/attr/exec
^[^#]*/proc/157/attr/fscreate
^[^#]*/proc/157/attr/current
^[^#]*/proc/157/attr/sockcreate
^[^#]*/proc/157/timerslack_ns
^[^#]*/proc/158/attr/keycreate
^[^#]*/proc/157/task/157/attr/exec
^[^#]*/proc/157/attr/keycreate
^[^#]*/proc/158/attr/fscreate
^[^#]*/proc/158/task/158/attr/current
^[^#]*/proc/158/task/158/attr/keycreate
^[^#]*/proc/158/task/158/attr/sockcreate
^[^#]*/proc/158/attr/exec
^[^#]*/proc/158/attr/current
^[^#]*/proc/158/timerslack_ns
^[^#]*/proc/159/task/159/attr/current
^[^#]*/proc/159/attr/fscreate
^[^#]*/proc/158/task/158/attr/exec
^[^#]*/proc/158/task/158/attr/fscreate
^[^#]*/proc/158/attr/sockcreate
^[^#]*/proc/159/attr/exec
^[^#]*/proc/159/task/159/attr/keycreate
^[^#]*/proc/159/task/159/attr/sockcreate
^[^#]*/proc/159/attr/current
^[^#]*/proc/159/attr/sockcreate
^[^#]*/proc/159/timerslack_ns
^[^#]*/proc/160/task/160/attr/current
^[^#]*/proc/159/task/159/attr/fscreate
^[^#]*/proc/159/task/159/attr/exec
^[^#]*/proc/159/attr/keycreate
^[^#]*/proc/160/attr/exec
^[^#]*/proc/160/task/160/attr/keycreate
^[^#]*/proc/160/task/160/attr/sockcreate
^[^#]*/proc/160/attr/fscreate
^[^#]*/proc/160/attr/current
^[^#]*/proc/160/attr/sockcreate
^[^#]*/proc/160/timerslack_ns
^[^#]*/proc/239/task/239/attr/current
^[^#]*/proc/239/attr/fscreate
^[^#]*/proc/160/task/160/attr/fscreate
^[^#]*/proc/160/task/160/attr/exec
^[^#]*/proc/160/attr/keycreate
^[^#]*/proc/239/task/239/attr/keycreate
^[^#]*/proc/239/task/239/attr/sockcreate
^[^#]*/proc/239/attr/current
^[^#]*/proc/239/attr/exec
^[^#]*/proc/239/timerslack_ns
^[^#]*/proc/433/attr/keycreate
^[^#]*/proc/239/attr/sockcreate
^[^#]*/proc/433/task/433/attr/current
^[^#]*/proc/239/task/239/attr/exec
^[^#]*/proc/239/task/239/attr/fscreate
^[^#]*/proc/239/attr/keycreate
^[^#]*/proc/433/attr/fscreate
^[^#]*/proc/433/task/433/attr/fscreate
^[^#]*/proc/433/task/433/attr/keycreate
^[^#]*/proc/433/attr/current
^[^#]*/proc/433/task/433/attr/sockcreate
^[^#]*/proc/433/attr/exec
^[^#]*/proc/433/attr/sockcreate
^[^#]*/proc/433/timerslack_ns
^[^#]*/proc/435/task/435/attr/current
^[^#]*/proc/435/attr/keycreate
^[^#]*/proc/435/attr/exec
^[^#]*/proc/433/task/433/attr/exec
^[^#]*/proc/435/task/435/attr/keycreate
^[^#]*/proc/435/task/435/attr/sockcreate
^[^#]*/proc/435/attr/fscreate
^[^#]*/proc/435/timerslack_ns
^[^#]*/proc/435/attr/current
^[^#]*/proc/437/task/437/attr/current
^[^#]*/proc/435/task/435/attr/fscreate
^[^#]*/proc/435/task/435/attr/exec
^[^#]*/proc/435/attr/sockcreate
^[^#]*/proc/444/task/444/attr/current
^[^#]*/proc/437/task/437/attr/keycreate
^[^#]*/proc/437/task/437/attr/sockcreate
^[^#]*/proc/437/attr/exec
^[^#]*/proc/437/attr/fscreate
^[^#]*/proc/437/attr/current
^[^#]*/proc/437/attr/sockcreate
^[^#]*/proc/437/timerslack_ns
^[^#]*/proc/441/attr/fscreate
^[^#]*/proc/441/attr/current
^[^#]*/proc/437/task/437/attr/fscreate
^[^#]*/proc/437/task/437/attr/exec
^[^#]*/proc/437/attr/keycreate
^[^#]*/proc/441/attr/exec
^[^#]*/proc/441/task/441/attr/keycreate
^[^#]*/proc/441/task/441/attr/sockcreate
^[^#]*/proc/441/task/441/attr/fscreate
^[^#]*/proc/441/task/441/attr/current
^[^#]*/proc/441/attr/sockcreate
^[^#]*/proc/441/timerslack_ns
^[^#]*/proc/444/attr/exec
^[^#]*/proc/444/attr/fscreate
^[^#]*/proc/441/task/441/attr/exec
^[^#]*/proc/441/attr/keycreate
^[^#]*/proc/444/task/444/attr/fscreate
^[^#]*/proc/444/task/444/attr/keycreate
^[^#]*/proc/444/task/444/attr/sockcreate
^[^#]*/proc/444/attr/current
^[^#]*/proc/444/timerslack_ns
^[^#]*/proc/444/attr/sockcreate
^[^#]*/proc/445/task/445/attr/current
^[^#]*/proc/444/task/444/attr/exec
^[^#]*/proc/444/attr/keycreate
^[^#]*/proc/445/task/445/attr/keycreate
^[^#]*/proc/445/task/445/attr/sockcreate
^[^#]*/proc/445/attr/exec
^[^#]*/proc/445/attr/fscreate
^[^#]*/proc/445/attr/current
^[^#]*/proc/445/attr/sockcreate
^[^#]*/proc/445/timerslack_ns
^[^#]*/proc/447/task/447/attr/current
^[^#]*/proc/447/attr/keycreate
^[^#]*/proc/445/task/445/attr/fscreate
^[^#]*/proc/445/task/445/attr/exec
^[^#]*/proc/445/attr/keycreate
^[^#]*/proc/447/task/447/attr/keycreate
^[^#]*/proc/447/task/447/attr/sockcreate
^[^#]*/proc/447/attr/current
^[^#]*/proc/447/timerslack_ns
^[^#]*/proc/447/attr/fscreate
^[^#]*/proc/447/attr/exec
^[^#]*/proc/447/task/447/attr/fscreate
^[^#]*/proc/447/task/447/attr/exec
^[^#]*/proc/447/attr/sockcreate
^[^#]*/proc/448/task/448/attr/fscreate
^[^#]*/proc/448/task/448/attr/keycreate
^[^#]*/proc/448/task/448/attr/sockcreate
^[^#]*/proc/448/attr/current
^[^#]*/proc/448/attr/fscreate
^[^#]*/proc/448/task/448/attr/current
^[^#]*/proc/448/attr/exec
^[^#]*/proc/448/attr/keycreate
^[^#]*/proc/448/timerslack_ns
^[^#]*/proc/449/task/449/attr/current
^[^#]*/proc/449/attr/keycreate
^[^#]*/proc/448/task/448/attr/exec
^[^#]*/proc/448/attr/sockcreate
^[^#]*/proc/449/attr/current
^[^#]*/proc/449/task/449/attr/fscreate
^[^#]*/proc/449/task/449/attr/keycreate
^[^#]*/proc/449/task/449/attr/sockcreate
^[^#]*/proc/449/attr/fscreate
^[^#]*/proc/449/attr/exec
^[^#]*/proc/449/timerslack_ns
^[^#]*/proc/519/task/519/attr/current
^[^#]*/proc/519/attr/keycreate
^[^#]*/proc/449/task/449/attr/exec
^[^#]*/proc/449/attr/sockcreate
^[^#]*/proc/519/task/519/attr/keycreate
^[^#]*/proc/519/task/519/attr/sockcreate
^[^#]*/proc/519/attr/exec
^[^#]*/proc/519/attr/fscreate
^[^#]*/proc/519/timerslack_ns
^[^#]*/proc/522/attr/keycreate
^[^#]*/proc/519/attr/current
^[^#]*/proc/519/attr/sockcreate
^[^#]*/proc/522/attr/exec
^[^#]*/proc/519/task/519/attr/fscreate
^[^#]*/proc/519/task/519/attr/exec
^[^#]*/proc/522/task/522/attr/current
^[^#]*/proc/522/task/522/attr/keycreate
^[^#]*/proc/522/attr/current
^[^#]*/proc/522/task/522/attr/sockcreate
^[^#]*/proc/522/attr/fscreate
^[^#]*/proc/522/attr/sockcreate
^[^#]*/proc/522/timerslack_ns
^[^#]*/proc/525/attr/fscreate
^[^#]*/proc/522/task/522/attr/fscreate
^[^#]*/proc/522/task/522/attr/exec
^[^#]*/proc/525/task/525/attr/current
^[^#]*/proc/525/task/525/attr/keycreate
^[^#]*/proc/525/task/525/attr/sockcreate
^[^#]*/proc/525/attr/exec
^[^#]*/proc/525/attr/current
^[^#]*/proc/525/attr/sockcreate
^[^#]*/proc/525/timerslack_ns
^[^#]*/proc/528/attr/keycreate
^[^#]*/proc/525/task/525/attr/exec
^[^#]*/proc/525/task/525/attr/fscreate
^[^#]*/proc/525/attr/keycreate
^[^#]*/proc/528/task/528/attr/current
^[^#]*/proc/528/task/528/attr/keycreate
^[^#]*/proc/528/task/528/attr/sockcreate
^[^#]*/proc/528/attr/exec
^[^#]*/proc/528/attr/fscreate
^[^#]*/proc/528/timerslack_ns
^[^#]*/proc/534/task/534/attr/current
^[^#]*/proc/528/attr/current
^[^#]*/proc/528/attr/sockcreate
^[^#]*/proc/528/task/528/attr/fscreate
^[^#]*/proc/528/task/528/attr/exec
^[^#]*/proc/534/attr/current
^[^#]*/proc/534/attr/exec
^[^#]*/proc/534/task/534/attr/keycreate
^[^#]*/proc/534/task/534/attr/sockcreate
^[^#]*/proc/534/attr/fscreate
^[^#]*/proc/534/attr/sockcreate
^[^#]*/proc/534/timerslack_ns
^[^#]*/proc/534/task/534/attr/fscreate
^[^#]*/proc/534/task/534/attr/exec
^[^#]*/proc/534/attr/keycreate
^[^#]*/proc/562/attr/exec
^[^#]*/proc/562/attr/fscreate
^[^#]*/proc/562/task/562/attr/keycreate
^[^#]*/proc/562/task/562/attr/sockcreate
^[^#]*/proc/562/attr/current
^[^#]*/proc/562/task/562/attr/current
^[^#]*/proc/562/attr/sockcreate
^[^#]*/proc/562/timerslack_ns
^[^#]*/proc/563/task/563/attr/current
^[^#]*/proc/563/attr/fscreate
^[^#]*/proc/562/task/562/attr/exec
^[^#]*/proc/562/task/562/attr/fscreate
^[^#]*/proc/562/attr/keycreate
^[^#]*/proc/563/attr/current
^[^#]*/proc/563/attr/exec
^[^#]*/proc/563/task/563/attr/keycreate
^[^#]*/proc/563/task/563/attr/sockcreate
^[^#]*/proc/563/attr/sockcreate
^[^#]*/proc/563/timerslack_ns
^[^#]*/proc/564/attr/keycreate
^[^#]*/proc/563/task/563/attr/fscreate
^[^#]*/proc/563/task/563/attr/exec
^[^#]*/proc/563/attr/keycreate
^[^#]*/proc/564/task/564/attr/keycreate
^[^#]*/proc/564/task/564/attr/sockcreate
^[^#]*/proc/564/attr/current
^[^#]*/proc/564/attr/fscreate
^[^#]*/proc/564/attr/exec
^[^#]*/proc/564/timerslack_ns
^[^#]*/proc/565/task/565/attr/current
^[^#]*/proc/565/attr/keycreate
^[^#]*/proc/564/task/564/attr/current
^[^#]*/proc/564/task/564/attr/fscreate
^[^#]*/proc/564/task/564/attr/exec
^[^#]*/proc/564/attr/sockcreate
^[^#]*/proc/565/task/565/attr/keycreate
^[^#]*/proc/565/task/565/attr/sockcreate
^[^#]*/proc/565/attr/exec
^[^#]*/proc/565/attr/fscreate
^[^#]*/proc/565/timerslack_ns
^[^#]*/proc/566/task/566/attr/current
^[^#]*/proc/566/attr/keycreate
^[^#]*/proc/565/attr/current
^[^#]*/proc/565/task/565/attr/fscreate
^[^#]*/proc/565/task/565/attr/exec
^[^#]*/proc/565/attr/sockcreate
^[^#]*/proc/566/attr/fscreate
^[^#]*/proc/566/task/566/attr/keycreate
^[^#]*/proc/566/task/566/attr/sockcreate
^[^#]*/proc/566/attr/current
^[^#]*/proc/566/attr/exec
^[^#]*/proc/566/timerslack_ns
^[^#]*/proc/567/attr/keycreate
^[^#]*/proc/567/task/567/attr/current
^[^#]*/proc/567/attr/exec
^[^#]*/proc/566/task/566/attr/fscreate
^[^#]*/proc/566/task/566/attr/exec
^[^#]*/proc/566/attr/sockcreate
^[^#]*/proc/567/attr/fscreate
^[^#]*/proc/567/task/567/attr/keycreate
^[^#]*/proc/567/task/567/attr/sockcreate
^[^#]*/proc/567/attr/current
^[^#]*/proc/567/timerslack_ns
^[^#]*/proc/568/task/568/attr/current
^[^#]*/proc/568/attr/fscreate
^[^#]*/proc/567/task/567/attr/fscreate
^[^#]*/proc/567/task/567/attr/exec
^[^#]*/proc/567/attr/sockcreate
^[^#]*/proc/568/task/568/attr/keycreate
^[^#]*/proc/568/task/568/attr/sockcreate
^[^#]*/proc/568/attr/current
^[^#]*/proc/568/attr/exec
^[^#]*/proc/568/attr/sockcreate
^[^#]*/proc/568/timerslack_ns
^[^#]*/proc/569/attr/keycreate
^[^#]*/proc/568/task/568/attr/fscreate
^[^#]*/proc/568/task/568/attr/exec
^[^#]*/proc/568/attr/keycreate
^[^#]*/proc/569/task/569/attr/fscreate
^[^#]*/proc/569/task/569/attr/keycreate
^[^#]*/proc/569/task/569/attr/sockcreate
^[^#]*/proc/569/attr/exec
^[^#]*/proc/569/attr/current
^[^#]*/proc/569/attr/fscreate
^[^#]*/proc/569/timerslack_ns
^[^#]*/proc/570/task/570/attr/current
^[^#]*/proc/570/attr/fscreate
^[^#]*/proc/569/task/569/attr/current
^[^#]*/proc/569/task/569/attr/exec
^[^#]*/proc/569/attr/sockcreate
^[^#]*/proc/570/task/570/attr/keycreate
^[^#]*/proc/570/task/570/attr/sockcreate
^[^#]*/proc/570/attr/current
^[^#]*/proc/570/attr/exec
^[^#]*/proc/570/attr/sockcreate
^[^#]*/proc/570/timerslack_ns
^[^#]*/proc/604/attr/exec
^[^#]*/proc/604/attr/fscreate
^[^#]*/proc/570/task/570/attr/fscreate
^[^#]*/proc/570/task/570/attr/exec
^[^#]*/proc/570/attr/keycreate
^[^#]*/proc/604/task/604/attr/current
^[^#]*/proc/604/task/604/attr/keycreate
^[^#]*/proc/604/task/604/attr/sockcreate
^[^#]*/proc/604/attr/current
^[^#]*/proc/604/attr/sockcreate
^[^#]*/proc/604/timerslack_ns
^[^#]*/proc/605/task/605/attr/current
^[^#]*/proc/605/attr/fscreate
^[^#]*/proc/604/task/604/attr/fscreate
^[^#]*/proc/604/task/604/attr/exec
^[^#]*/proc/604/attr/keycreate
^[^#]*/proc/605/attr/exec
^[^#]*/proc/608/attr/exec
^[^#]*/proc/605/task/605/attr/keycreate
^[^#]*/proc/605/task/605/attr/sockcreate
^[^#]*/proc/605/attr/current
^[^#]*/proc/605/attr/sockcreate
^[^#]*/proc/605/timerslack_ns
^[^#]*/proc/606/task/606/attr/current
^[^#]*/proc/606/attr/keycreate
^[^#]*/proc/605/task/605/attr/fscreate
^[^#]*/proc/605/task/605/attr/exec
^[^#]*/proc/605/attr/keycreate
^[^#]*/proc/606/task/606/attr/keycreate
^[^#]*/proc/606/task/606/attr/sockcreate
^[^#]*/proc/606/attr/exec
^[^#]*/proc/606/attr/current
^[^#]*/proc/606/attr/fscreate
^[^#]*/proc/606/attr/sockcreate
^[^#]*/proc/606/timerslack_ns
^[^#]*/proc/606/task/606/attr/fscreate
^[^#]*/proc/606/task/606/attr/exec
^[^#]*/proc/608/attr/fscreate
^[^#]*/proc/608/task/608/attr/fscreate
^[^#]*/proc/608/task/608/attr/keycreate
^[^#]*/proc/608/task/608/attr/sockcreate
^[^#]*/proc/608/task/608/attr/current
^[^#]*/proc/608/attr/current
^[^#]*/proc/608/timerslack_ns
^[^#]*/proc/609/task/609/attr/current
^[^#]*/proc/609/attr/fscreate
^[^#]*/proc/608/task/608/attr/exec
^[^#]*/proc/608/attr/keycreate
^[^#]*/proc/608/attr/sockcreate
^[^#]*/proc/609/task/609/attr/keycreate
^[^#]*/proc/609/task/609/attr/sockcreate
^[^#]*/proc/609/attr/current
^[^#]*/proc/705/attr/exec
^[^#]*/proc/609/attr/exec
^[^#]*/proc/609/attr/sockcreate
^[^#]*/proc/609/timerslack_ns
^[^#]*/proc/610/task/610/attr/current
^[^#]*/proc/610/attr/keycreate
^[^#]*/proc/609/task/609/attr/fscreate
^[^#]*/proc/609/task/609/attr/exec
^[^#]*/proc/609/attr/keycreate
^[^#]*/proc/610/task/610/attr/keycreate
^[^#]*/proc/610/task/610/attr/sockcreate
^[^#]*/proc/610/attr/current
^[^#]*/proc/610/task/610/attr/fscreate
^[^#]*/proc/610/attr/exec
^[^#]*/proc/610/attr/fscreate
^[^#]*/proc/610/timerslack_ns
^[^#]*/proc/611/attr/keycreate
^[^#]*/proc/610/task/610/attr/exec
^[^#]*/proc/610/attr/sockcreate
^[^#]*/proc/611/attr/fscreate
^[^#]*/proc/611/task/611/attr/keycreate
^[^#]*/proc/611/attr/current
^[^#]*/proc/611/task/611/attr/sockcreate
^[^#]*/proc/611/task/611/attr/current
^[^#]*/proc/611/attr/exec
^[^#]*/proc/611/attr/sockcreate
^[^#]*/proc/611/timerslack_ns
^[^#]*/proc/678/attr/exec
^[^#]*/proc/678/attr/fscreate
^[^#]*/proc/611/task/611/attr/fscreate
^[^#]*/proc/611/task/611/attr/exec
^[^#]*/proc/678/task/678/attr/exec
^[^#]*/proc/678/task/678/attr/fscreate
^[^#]*/proc/678/task/678/attr/current
^[^#]*/proc/678/attr/current
^[^#]*/proc/678/timerslack_ns
^[^#]*/proc/678/attr/sockcreate
^[^#]*/proc/678/task/678/attr/keycreate
^[^#]*/proc/678/task/678/attr/sockcreate
^[^#]*/proc/678/attr/keycreate
^[^#]*/proc/705/attr/current
^[^#]*/proc/705/task/705/attr/keycreate
^[^#]*/proc/705/task/705/attr/sockcreate
^[^#]*/proc/705/attr/fscreate
^[^#]*/proc/705/attr/sockcreate
^[^#]*/proc/705/timerslack_ns
^[^#]*/proc/740/attr/keycreate
^[^#]*/proc/748/task/748/attr/current
^[^#]*/proc/740/task/740/attr/current
^[^#]*/proc/705/task/705/attr/fscreate
^[^#]*/proc/705/task/705/attr/exec
^[^#]*/proc/705/attr/keycreate
^[^#]*/proc/705/task/705/attr/current
^[^#]*/proc/740/task/740/attr/keycreate
^[^#]*/proc/740/task/740/attr/sockcreate
^[^#]*/proc/740/attr/exec
^[^#]*/proc/740/attr/fscreate
^[^#]*/proc/740/timerslack_ns
^[^#]*/proc/748/attr/fscreate
^[^#]*/proc/740/task/740/attr/fscreate
^[^#]*/proc/740/task/740/attr/exec
^[^#]*/proc/740/attr/current
^[^#]*/proc/740/attr/sockcreate
^[^#]*/proc/748/task/748/attr/keycreate
^[^#]*/proc/748/task/748/attr/sockcreate
^[^#]*/proc/748/attr/exec
^[^#]*/proc/748/attr/sockcreate
^[^#]*/proc/748/timerslack_ns
^[^#]*/proc/820/task/820/attr/current
^[^#]*/proc/820/attr/fscreate
^[^#]*/proc/748/attr/current
^[^#]*/proc/748/task/748/attr/fscreate
^[^#]*/proc/748/task/748/attr/exec
^[^#]*/proc/748/attr/keycreate
^[^#]*/proc/820/task/820/attr/keycreate
^[^#]*/proc/820/task/820/attr/sockcreate
^[^#]*/proc/820/attr/current
^[^#]*/proc/820/attr/keycreate
^[^#]*/proc/820/timerslack_ns
^[^#]*/proc/820/attr/exec
^[^#]*/proc/820/task/820/attr/fscreate
^[^#]*/proc/820/task/820/attr/exec
^[^#]*/proc/820/attr/sockcreate
^[^#]*/proc/821/task/821/attr/sockcreate
^[^#]*/proc/821/task/821/attr/current
^[^#]*/proc/821/attr/fscreate
^[^#]*/proc/821/attr/exec
^[^#]*/proc/821/timerslack_ns
^[^#]*/proc/822/attr/keycreate
^[^#]*/proc/821/attr/sockcreate
^[^#]*/proc/821/attr/current
^[^#]*/proc/821/task/821/attr/exec
^[^#]*/proc/821/task/821/attr/fscreate
^[^#]*/proc/821/task/821/attr/keycreate
^[^#]*/proc/821/attr/keycreate
^[^#]*/proc/822/task/822/attr/current
^[^#]*/proc/822/task/822/attr/keycreate
^[^#]*/proc/822/task/822/attr/sockcreate
^[^#]*/proc/822/attr/current
^[^#]*/proc/822/attr/exec
^[^#]*/proc/822/attr/sockcreate
^[^#]*/proc/822/attr/fscreate
^[^#]*/proc/822/timerslack_ns
^[^#]*/proc/823/task/823/attr/current
^[^#]*/proc/823/attr/fscreate
^[^#]*/proc/822/task/822/attr/fscreate
^[^#]*/proc/822/task/822/attr/exec
^[^#]*/proc/823/task/823/attr/keycreate
^[^#]*/proc/823/attr/current
^[^#]*/proc/823/task/823/attr/sockcreate
^[^#]*/proc/823/attr/exec
^[^#]*/proc/823/attr/sockcreate
^[^#]*/proc/823/timerslack_ns
^[^#]*/proc/824/attr/fscreate
^[^#]*/proc/825/attr/exec
^[^#]*/proc/823/task/823/attr/fscreate
^[^#]*/proc/823/task/823/attr/exec
^[^#]*/proc/823/attr/keycreate
^[^#]*/proc/824/task/824/attr/sockcreate
^[^#]*/proc/824/attr/current
^[^#]*/proc/824/task/824/attr/fscreate
^[^#]*/proc/824/attr/exec
^[^#]*/proc/824/attr/sockcreate
^[^#]*/proc/824/timerslack_ns
^[^#]*/proc/825/task/825/attr/current
^[^#]*/proc/825/attr/keycreate
^[^#]*/proc/826/attr/current
^[^#]*/proc/824/task/824/attr/current
^[^#]*/proc/824/task/824/attr/exec
^[^#]*/proc/824/task/824/attr/keycreate
^[^#]*/proc/825/attr/current
^[^#]*/proc/824/attr/keycreate
^[^#]*/proc/825/task/825/attr/keycreate
^[^#]*/proc/825/task/825/attr/sockcreate
^[^#]*/proc/825/attr/fscreate
^[^#]*/proc/825/timerslack_ns
^[^#]*/proc/826/attr/fscreate
^[^#]*/proc/826/task/826/attr/current
^[^#]*/proc/825/task/825/attr/fscreate
^[^#]*/proc/825/task/825/attr/exec
^[^#]*/proc/825/attr/sockcreate
^[^#]*/proc/826/task/826/attr/keycreate
^[^#]*/proc/826/task/826/attr/sockcreate
^[^#]*/proc/826/attr/exec
^[^#]*/proc/826/attr/sockcreate
^[^#]*/proc/826/timerslack_ns
^[^#]*/proc/828/task/828/attr/current
^[^#]*/proc/828/attr/fscreate
^[^#]*/proc/826/task/826/attr/fscreate
^[^#]*/proc/826/task/826/attr/exec
^[^#]*/proc/826/attr/keycreate
^[^#]*/proc/828/task/828/attr/keycreate
^[^#]*/proc/828/task/828/attr/sockcreate
^[^#]*/proc/828/attr/exec
^[^#]*/proc/829/task/829/attr/current
^[^#]*/proc/828/timerslack_ns
^[^#]*/proc/828/attr/keycreate
^[^#]*/proc/828/attr/current
^[^#]*/proc/830/attr/current
^[^#]*/proc/828/task/828/attr/fscreate
^[^#]*/proc/828/task/828/attr/exec
^[^#]*/proc/829/attr/exec
^[^#]*/proc/828/attr/sockcreate
^[^#]*/proc/829/task/829/attr/keycreate
^[^#]*/proc/829/task/829/attr/sockcreate
^[^#]*/proc/829/attr/current
^[^#]*/proc/829/attr/fscreate
^[^#]*/proc/829/attr/sockcreate
^[^#]*/proc/829/timerslack_ns
^[^#]*/proc/830/attr/fscreate
^[^#]*/proc/829/task/829/attr/fscreate
^[^#]*/proc/829/task/829/attr/exec
^[^#]*/proc/829/attr/keycreate
^[^#]*/proc/830/task/830/attr/keycreate
^[^#]*/proc/830/task/830/attr/sockcreate
^[^#]*/proc/830/task/830/attr/current
^[^#]*/proc/830/attr/keycreate
^[^#]*/proc/830/timerslack_ns
^[^#]*/proc/831/task/831/attr/current
^[^#]*/proc/831/attr/fscreate
^[^#]*/proc/830/attr/exec
^[^#]*/proc/832/attr/exec
^[^#]*/proc/830/task/830/attr/exec
^[^#]*/proc/830/task/830/attr/fscreate
^[^#]*/proc/830/attr/sockcreate
^[^#]*/proc/831/task/831/attr/keycreate
^[^#]*/proc/831/task/831/attr/sockcreate
^[^#]*/proc/832/attr/current
^[^#]*/proc/831/attr/current
^[^#]*/proc/831/attr/keycreate
^[^#]*/proc/831/timerslack_ns
^[^#]*/proc/832/task/832/attr/current
^[^#]*/proc/832/attr/keycreate
^[^#]*/proc/831/attr/exec
^[^#]*/proc/834/attr/exec
^[^#]*/proc/831/task/831/attr/fscreate
^[^#]*/proc/831/task/831/attr/exec
^[^#]*/proc/831/attr/sockcreate
^[^#]*/proc/832/task/832/attr/keycreate
^[^#]*/proc/832/task/832/attr/sockcreate
^[^#]*/proc/832/attr/fscreate
^[^#]*/proc/832/timerslack_ns
^[^#]*/proc/834/attr/fscreate
^[^#]*/proc/834/task/834/attr/current
^[^#]*/proc/832/task/832/attr/fscreate
^[^#]*/proc/832/task/832/attr/exec
^[^#]*/proc/832/attr/sockcreate
^[^#]*/proc/834/task/834/attr/keycreate
^[^#]*/proc/834/attr/current
^[^#]*/proc/834/task/834/attr/sockcreate
^[^#]*/proc/834/attr/sockcreate
^[^#]*/proc/834/timerslack_ns
^[^#]*/proc/836/task/836/attr/current
^[^#]*/proc/836/attr/fscreate
^[^#]*/proc/834/task/834/attr/fscreate
^[^#]*/proc/834/task/834/attr/exec
^[^#]*/proc/834/attr/keycreate
^[^#]*/proc/836/task/836/attr/keycreate
^[^#]*/proc/836/task/836/attr/sockcreate
^[^#]*/proc/836/attr/current
^[^#]*/proc/836/attr/exec
^[^#]*/proc/836/attr/sockcreate
^[^#]*/proc/836/timerslack_ns
^[^#]*/proc/837/task/837/attr/current
^[^#]*/proc/837/attr/fscreate
^[^#]*/proc/837/attr/current
^[^#]*/proc/836/task/836/attr/fscreate
^[^#]*/proc/836/task/836/attr/exec
^[^#]*/proc/836/attr/keycreate
^[^#]*/proc/837/task/837/attr/keycreate
^[^#]*/proc/837/task/837/attr/sockcreate
^[^#]*/proc/837/attr/exec
^[^#]*/proc/837/attr/sockcreate
^[^#]*/proc/837/timerslack_ns
^[^#]*/proc/839/attr/current
^[^#]*/proc/837/task/837/attr/fscreate
^[^#]*/proc/837/task/837/attr/exec
^[^#]*/proc/837/attr/keycreate
^[^#]*/proc/838/task/838/attr/keycreate
^[^#]*/proc/838/task/838/attr/sockcreate
^[^#]*/proc/838/attr/exec
^[^#]*/proc/838/attr/fscreate
^[^#]*/proc/838/attr/current
^[^#]*/proc/838/attr/keycreate
^[^#]*/proc/838/timerslack_ns
^[^#]*/proc/839/attr/keycreate
^[^#]*/proc/838/task/838/attr/current
^[^#]*/proc/838/task/838/attr/exec
^[^#]*/proc/838/task/838/attr/fscreate
^[^#]*/proc/838/attr/sockcreate
^[^#]*/proc/839/task/839/attr/keycreate
^[^#]*/proc/839/task/839/attr/sockcreate
^[^#]*/proc/839/task/839/attr/current
^[^#]*/proc/839/attr/exec
^[^#]*/proc/839/attr/fscreate
^[^#]*/proc/839/timerslack_ns
^[^#]*/proc/840/attr/fscreate
^[^#]*/proc/839/task/839/attr/fscreate
^[^#]*/proc/839/task/839/attr/exec
^[^#]*/proc/839/attr/sockcreate
^[^#]*/proc/840/task/840/attr/current
^[^#]*/proc/840/task/840/attr/sockcreate
^[^#]*/proc/840/attr/exec
^[^#]*/proc/841/task/841/attr/current
^[^#]*/proc/840/attr/current
^[^#]*/proc/840/attr/sockcreate
^[^#]*/proc/840/timerslack_ns
^[^#]*/proc/841/attr/exec
^[^#]*/proc/841/attr/fscreate
^[^#]*/proc/840/task/840/attr/exec
^[^#]*/proc/840/task/840/attr/fscreate
^[^#]*/proc/840/task/840/attr/keycreate
^[^#]*/proc/840/attr/keycreate
^[^#]*/proc/841/task/841/attr/fscreate
^[^#]*/proc/841/task/841/attr/keycreate
^[^#]*/proc/841/attr/current
^[^#]*/proc/841/task/841/attr/sockcreate
^[^#]*/proc/842/task/842/attr/current
^[^#]*/proc/841/timerslack_ns
^[^#]*/proc/841/task/841/attr/exec
^[^#]*/proc/841/attr/keycreate
^[^#]*/proc/841/attr/sockcreate
^[^#]*/proc/842/task/842/attr/fscreate
^[^#]*/proc/842/task/842/attr/keycreate
^[^#]*/proc/842/task/842/attr/sockcreate
^[^#]*/proc/842/attr/current
^[^#]*/proc/842/attr/fscreate
^[^#]*/proc/842/attr/exec
^[^#]*/proc/842/attr/sockcreate
^[^#]*/proc/843/task/843/attr/current
^[^#]*/proc/842/timerslack_ns
^[^#]*/proc/842/task/842/attr/exec
^[^#]*/proc/842/attr/keycreate
^[^#]*/proc/843/task/843/attr/keycreate
^[^#]*/proc/843/attr/current
^[^#]*/proc/843/task/843/attr/sockcreate
^[^#]*/proc/843/attr/exec
^[^#]*/proc/843/attr/fscreate
^[^#]*/proc/843/timerslack_ns
^[^#]*/proc/844/attr/fscreate
^[^#]*/proc/843/task/843/attr/fscreate
^[^#]*/proc/843/task/843/attr/exec
^[^#]*/proc/843/attr/keycreate
^[^#]*/proc/843/attr/sockcreate
^[^#]*/proc/844/attr/exec
^[^#]*/proc/844/task/844/attr/keycreate
^[^#]*/proc/844/attr/current
^[^#]*/proc/844/task/844/attr/sockcreate
^[^#]*/proc/844/task/844/attr/current
^[^#]*/proc/844/attr/sockcreate
^[^#]*/proc/844/timerslack_ns
^[^#]*/proc/845/attr/exec
^[^#]*/proc/845/attr/keycreate
^[^#]*/proc/844/task/844/attr/exec
^[^#]*/proc/844/task/844/attr/fscreate
^[^#]*/proc/844/attr/keycreate
^[^#]*/proc/845/task/845/attr/keycreate
^[^#]*/proc/845/task/845/attr/sockcreate
^[^#]*/proc/845/task/845/attr/current
^[^#]*/proc/845/attr/fscreate
^[^#]*/proc/845/timerslack_ns
^[^#]*/proc/846/task/846/attr/current
^[^#]*/proc/846/attr/keycreate
^[^#]*/proc/845/attr/current
^[^#]*/proc/845/task/845/attr/fscreate
^[^#]*/proc/845/task/845/attr/exec
^[^#]*/proc/845/attr/sockcreate
^[^#]*/proc/846/task/846/attr/keycreate
^[^#]*/proc/846/attr/current
^[^#]*/proc/846/task/846/attr/sockcreate
^[^#]*/proc/846/timerslack_ns
^[^#]*/proc/847/attr/fscreate
^[^#]*/proc/846/attr/fscreate
^[^#]*/proc/846/attr/exec
^[^#]*/proc/847/task/847/attr/current
^[^#]*/proc/847/attr/current
^[^#]*/proc/846/task/846/attr/fscreate
^[^#]*/proc/846/task/846/attr/exec
^[^#]*/proc/846/attr/sockcreate
^[^#]*/proc/847/attr/exec
^[^#]*/proc/847/task/847/attr/keycreate
^[^#]*/proc/847/task/847/attr/sockcreate
^[^#]*/proc/847/attr/sockcreate
^[^#]*/proc/847/timerslack_ns
^[^#]*/proc/848/task/848/attr/current
^[^#]*/proc/848/attr/fscreate
^[^#]*/proc/847/task/847/attr/fscreate
^[^#]*/proc/847/task/847/attr/exec
^[^#]*/proc/847/attr/keycreate
^[^#]*/proc/848/task/848/attr/keycreate
^[^#]*/proc/848/task/848/attr/sockcreate
^[^#]*/proc/848/attr/exec
^[^#]*/proc/848/attr/sockcreate
^[^#]*/proc/848/timerslack_ns
^[^#]*/proc/849/attr/keycreate
^[^#]*/proc/848/attr/current
^[^#]*/proc/849/attr/exec
^[^#]*/proc/848/task/848/attr/fscreate
^[^#]*/proc/848/task/848/attr/exec
^[^#]*/proc/848/attr/keycreate
^[^#]*/proc/849/task/849/attr/keycreate
^[^#]*/proc/849/task/849/attr/sockcreate
^[^#]*/proc/849/attr/fscreate
^[^#]*/proc/849/timerslack_ns
^[^#]*/proc/850/task/850/attr/current
^[^#]*/proc/849/attr/current
^[^#]*/proc/849/attr/sockcreate
^[^#]*/proc/849/task/849/attr/current
^[^#]*/proc/849/task/849/attr/fscreate
^[^#]*/proc/849/task/849/attr/exec
^[^#]*/proc/850/attr/current
^[^#]*/proc/850/attr/exec
^[^#]*/proc/850/task/850/attr/keycreate
^[^#]*/proc/850/task/850/attr/sockcreate
^[^#]*/proc/850/attr/fscreate
^[^#]*/proc/850/attr/sockcreate
^[^#]*/proc/850/timerslack_ns
^[^#]*/proc/894/task/894/attr/current
^[^#]*/proc/850/task/850/attr/fscreate
^[^#]*/proc/850/task/850/attr/exec
^[^#]*/proc/850/attr/keycreate
^[^#]*/proc/894/task/894/attr/keycreate
^[^#]*/proc/894/task/894/attr/sockcreate
^[^#]*/proc/894/attr/fscreate
^[^#]*/proc/894/attr/sockcreate
^[^#]*/proc/894/timerslack_ns
^[^#]*/proc/895/attr/keycreate
^[^#]*/proc/894/attr/current
^[^#]*/proc/894/task/894/attr/fscreate
^[^#]*/proc/894/task/894/attr/exec
^[^#]*/proc/894/attr/exec
^[^#]*/proc/894/attr/keycreate
^[^#]*/proc/895/task/895/attr/fscreate
^[^#]*/proc/895/task/895/attr/current
^[^#]*/proc/895/task/895/attr/keycreate
^[^#]*/proc/895/task/895/attr/sockcreate
^[^#]*/proc/895/task/896/attr/current
^[^#]*/proc/895/task/896/attr/fscreate
^[^#]*/proc/895/task/898/attr/exec
^[^#]*/proc/895/task/896/attr/keycreate
^[^#]*/proc/897/attr/keycreate
^[^#]*/proc/895/task/895/attr/exec
^[^#]*/proc/895/task/896/attr/exec
^[^#]*/proc/895/task/898/attr/fscreate
^[^#]*/proc/895/task/896/attr/sockcreate
^[^#]*/proc/895/task/898/attr/current
^[^#]*/proc/923/attr/exec
^[^#]*/proc/895/task/898/attr/keycreate
^[^#]*/proc/895/task/898/attr/sockcreate
^[^#]*/proc/895/attr/current
^[^#]*/proc/895/attr/fscreate
^[^#]*/proc/897/task/897/attr/current
^[^#]*/proc/895/timerslack_ns
^[^#]*/proc/895/attr/exec
^[^#]*/proc/895/attr/sockcreate
^[^#]*/proc/897/task/897/attr/fscreate
^[^#]*/proc/897/task/897/attr/sockcreate
^[^#]*/proc/897/attr/fscreate
^[^#]*/proc/897/attr/sockcreate
^[^#]*/proc/897/attr/current
^[^#]*/proc/897/attr/exec
^[^#]*/proc/920/attr/exec
^[^#]*/proc/920/task/920/attr/current
^[^#]*/proc/897/task/897/attr/exec
^[^#]*/proc/897/task/897/attr/keycreate
^[^#]*/proc/897/timerslack_ns
^[^#]*/proc/920/task/920/attr/keycreate
^[^#]*/proc/920/task/920/attr/sockcreate
^[^#]*/proc/920/attr/current
^[^#]*/proc/924/attr/exec
^[^#]*/proc/920/attr/fscreate
^[^#]*/proc/920/attr/keycreate
^[^#]*/proc/920/attr/sockcreate
^[^#]*/proc/923/task/923/attr/current
^[^#]*/proc/920/task/920/attr/fscreate
^[^#]*/proc/920/task/920/attr/exec
^[^#]*/proc/920/timerslack_ns
^[^#]*/proc/924/attr/current
^[^#]*/proc/451716/attr/exec
^[^#]*/proc/923/task/923/attr/fscreate
^[^#]*/proc/923/task/923/attr/sockcreate
^[^#]*/proc/923/attr/fscreate
^[^#]*/proc/923/attr/keycreate
^[^#]*/proc/923/attr/sockcreate
^[^#]*/proc/923/attr/current
^[^#]*/proc/923/task/923/attr/exec
^[^#]*/proc/923/task/923/attr/keycreate
^[^#]*/proc/923/timerslack_ns
^[^#]*/proc/924/task/924/attr/current
^[^#]*/proc/924/task/924/attr/keycreate
^[^#]*/proc/924/task/924/attr/sockcreate
^[^#]*/proc/926/attr/current
^[^#]*/proc/926/attr/exec
^[^#]*/proc/924/attr/keycreate
^[^#]*/proc/924/task/956/attr/current
^[^#]*/proc/924/task/956/attr/exec
^[^#]*/proc/924/task/924/attr/fscreate
^[^#]*/proc/924/task/924/attr/exec
^[^#]*/proc/924/task/956/attr/fscreate
^[^#]*/proc/924/task/956/attr/keycreate
^[^#]*/proc/924/task/956/attr/sockcreate
^[^#]*/proc/924/attr/fscreate
^[^#]*/proc/924/attr/sockcreate
^[^#]*/proc/924/timerslack_ns
^[^#]*/proc/926/task/926/attr/current
^[^#]*/proc/926/task/926/attr/keycreate
^[^#]*/proc/926/task/926/attr/sockcreate
^[^#]*/proc/926/attr/keycreate
^[^#]*/proc/926/attr/fscreate
^[^#]*/proc/926/attr/sockcreate
^[^#]*/proc/927/attr/fscreate
^[^#]*/proc/926/task/926/attr/fscreate
^[^#]*/proc/926/task/926/attr/exec
^[^#]*/proc/926/timerslack_ns
^[^#]*/proc/927/task/927/attr/keycreate
^[^#]*/proc/927/task/927/attr/sockcreate
^[^#]*/proc/927/attr/sockcreate
^[^#]*/proc/927/timerslack_ns
^[^#]*/proc/930/attr/sockcreate
^[^#]*/proc/930/task/930/attr/current
^[^#]*/proc/927/attr/current
^[^#]*/proc/927/attr/exec
^[^#]*/proc/927/task/927/attr/exec
^[^#]*/proc/927/task/927/attr/fscreate
^[^#]*/proc/927/attr/keycreate
^[^#]*/proc/927/task/927/attr/current
^[^#]*/proc/930/attr/current
^[^#]*/proc/930/task/930/attr/fscreate
^[^#]*/proc/930/task/930/attr/sockcreate
^[^#]*/proc/930/task/967/attr/fscreate
^[^#]*/proc/930/attr/keycreate
^[^#]*/proc/935/attr/current
^[^#]*/proc/930/task/967/attr/current
^[^#]*/proc/930/task/967/attr/keycreate
^[^#]*/proc/930/task/930/attr/exec
^[^#]*/proc/930/task/930/attr/keycreate
^[^#]*/proc/930/task/967/attr/exec
^[^#]*/proc/930/attr/fscreate
^[^#]*/proc/930/task/967/attr/sockcreate
^[^#]*/proc/930/attr/exec
^[^#]*/proc/930/timerslack_ns
^[^#]*/proc/935/task/935/attr/keycreate
^[^#]*/proc/935/task/935/attr/sockcreate
^[^#]*/proc/935/task/986/attr/current
^[^#]*/proc/935/task/984/attr/keycreate
^[^#]*/proc/951/attr/fscreate
^[^#]*/proc/935/task/935/attr/current
^[^#]*/proc/935/task/935/attr/fscreate
^[^#]*/proc/935/task/935/attr/exec
^[^#]*/proc/935/task/984/attr/exec
^[^#]*/proc/935/task/984/attr/fscreate
^[^#]*/proc/935/task/984/attr/current
^[^#]*/proc/935/task/984/attr/sockcreate
^[^#]*/proc/935/task/985/attr/exec
^[^#]*/proc/935/task/985/attr/fscreate
^[^#]*/proc/935/task/985/attr/keycreate
^[^#]*/proc/935/task/985/attr/sockcreate
^[^#]*/proc/935/task/986/attr/fscreate
^[^#]*/proc/935/task/985/attr/current
^[^#]*/proc/935/task/986/attr/exec
^[^#]*/proc/935/task/987/attr/exec
^[^#]*/proc/935/task/987/attr/fscreate
^[^#]*/proc/935/task/989/attr/current
^[^#]*/proc/935/task/986/attr/keycreate
^[^#]*/proc/935/task/986/attr/sockcreate
^[^#]*/proc/935/task/987/attr/keycreate
^[^#]*/proc/935/task/987/attr/sockcreate
^[^#]*/proc/935/task/989/attr/fscreate
^[^#]*/proc/935/task/987/attr/current
^[^#]*/proc/935/task/989/attr/exec
^[^#]*/proc/935/attr/keycreate
^[^#]*/proc/935/attr/sockcreate
^[^#]*/proc/935/task/989/attr/keycreate
^[^#]*/proc/935/task/989/attr/sockcreate
^[^#]*/proc/970/attr/fscreate
^[^#]*/proc/935/attr/exec
^[^#]*/proc/935/attr/fscreate
^[^#]*/proc/935/timerslack_ns
^[^#]*/proc/1446/attr/exec
^[^#]*/proc/951/task/951/attr/current
^[^#]*/proc/970/attr/current
^[^#]*/proc/951/task/951/attr/keycreate
^[^#]*/proc/951/task/951/attr/sockcreate
^[^#]*/proc/951/attr/current
^[^#]*/proc/951/attr/keycreate
^[^#]*/proc/951/attr/sockcreate
^[^#]*/proc/951/attr/exec
^[^#]*/proc/951/task/951/attr/fscreate
^[^#]*/proc/951/task/951/attr/exec
^[^#]*/proc/970/task/970/attr/current
^[^#]*/proc/951/timerslack_ns
^[^#]*/proc/970/task/970/attr/fscreate
^[^#]*/proc/970/task/970/attr/sockcreate
^[^#]*/proc/970/task/982/attr/current
^[^#]*/proc/988/attr/exec
^[^#]*/proc/970/attr/keycreate
^[^#]*/proc/970/task/982/attr/fscreate
^[^#]*/proc/970/task/970/attr/exec
^[^#]*/proc/970/task/970/attr/keycreate
^[^#]*/proc/970/task/982/attr/exec
^[^#]*/proc/970/task/982/attr/keycreate
^[^#]*/proc/970/task/982/attr/sockcreate
^[^#]*/proc/970/task/983/attr/current
^[^#]*/proc/970/task/983/attr/exec
^[^#]*/proc/970/task/983/attr/keycreate
^[^#]*/proc/970/task/983/attr/sockcreate
^[^#]*/proc/970/task/983/attr/fscreate
^[^#]*/proc/970/attr/exec
^[^#]*/proc/970/attr/sockcreate
^[^#]*/proc/970/timerslack_ns
^[^#]*/proc/988/task/988/attr/keycreate
^[^#]*/proc/988/task/988/attr/sockcreate
^[^#]*/proc/988/attr/current
^[^#]*/proc/988/attr/fscreate
^[^#]*/proc/988/attr/keycreate
^[^#]*/proc/988/attr/sockcreate
^[^#]*/proc/988/timerslack_ns
^[^#]*/proc/991/task/991/attr/current
^[^#]*/proc/988/task/988/attr/fscreate
^[^#]*/proc/988/task/988/attr/exec
^[^#]*/proc/988/task/988/attr/current
^[^#]*/proc/992/attr/current
^[^#]*/proc/991/task/991/attr/keycreate
^[^#]*/proc/991/task/991/attr/sockcreate
^[^#]*/proc/991/task/1089/attr/current
^[^#]*/proc/991/attr/current
^[^#]*/proc/991/attr/keycreate
^[^#]*/proc/991/task/1089/attr/keycreate
^[^#]*/proc/991/task/1089/attr/sockcreate
^[^#]*/proc/992/task/992/attr/current
^[^#]*/proc/991/task/1089/attr/exec
^[^#]*/proc/991/task/991/attr/fscreate
^[^#]*/proc/991/task/991/attr/exec
^[^#]*/proc/991/task/1089/attr/fscreate
^[^#]*/proc/991/attr/exec
^[^#]*/proc/991/attr/fscreate
^[^#]*/proc/991/attr/sockcreate
^[^#]*/proc/991/timerslack_ns
^[^#]*/proc/992/task/992/attr/fscreate
^[^#]*/proc/992/task/992/attr/sockcreate
^[^#]*/proc/992/attr/exec
^[^#]*/proc/992/attr/sockcreate
^[^#]*/proc/992/timerslack_ns
^[^#]*/proc/993/task/993/attr/current
^[^#]*/proc/993/attr/keycreate
^[^#]*/proc/992/task/992/attr/exec
^[^#]*/proc/992/task/992/attr/keycreate
^[^#]*/proc/992/attr/fscreate
^[^#]*/proc/992/attr/keycreate
^[^#]*/proc/993/task/993/attr/keycreate
^[^#]*/proc/993/task/993/attr/sockcreate
^[^#]*/proc/993/attr/exec
^[^#]*/proc/993/attr/sockcreate
^[^#]*/proc/993/timerslack_ns
^[^#]*/proc/1128/task/1128/attr/current
^[^#]*/proc/1128/attr/keycreate
^[^#]*/proc/1128/timerslack_ns
^[^#]*/proc/993/attr/current
^[^#]*/proc/993/task/993/attr/fscreate
^[^#]*/proc/993/task/993/attr/exec
^[^#]*/proc/993/attr/fscreate
^[^#]*/proc/1128/task/1128/attr/keycreate
^[^#]*/proc/1128/task/1128/attr/sockcreate
^[^#]*/proc/1128/task/1129/attr/current
^[^#]*/proc/1128/task/1129/attr/fscreate
^[^#]*/proc/1128/task/1129/attr/exec
^[^#]*/proc/1128/task/1130/attr/fscreate
^[^#]*/proc/1128/task/1130/attr/current
^[^#]*/proc/1128/attr/exec
^[^#]*/proc/1128/task/1129/attr/keycreate
^[^#]*/proc/1132/task/1132/attr/exec
^[^#]*/proc/1128/task/1128/attr/exec
^[^#]*/proc/1128/task/1128/attr/fscreate
^[^#]*/proc/1128/task/1129/attr/sockcreate
^[^#]*/proc/1128/task/1130/attr/exec
^[^#]*/proc/1128/task/1130/attr/keycreate
^[^#]*/proc/1128/task/1130/attr/sockcreate
^[^#]*/proc/1128/attr/current
^[^#]*/proc/1128/attr/fscreate
^[^#]*/proc/1128/attr/sockcreate
^[^#]*/proc/1132/attr/keycreate
^[^#]*/proc/1132/task/1132/attr/current
^[^#]*/proc/1132/task/1132/attr/sockcreate
^[^#]*/proc/1132/attr/exec
^[^#]*/proc/1132/attr/current
^[^#]*/proc/1132/attr/fscreate
^[^#]*/proc/1132/attr/sockcreate
^[^#]*/proc/1132/timerslack_ns
^[^#]*/proc/1133/task/1133/attr/exec
^[^#]*/proc/1132/task/1132/attr/fscreate
^[^#]*/proc/1132/task/1132/attr/keycreate
^[^#]*/proc/1133/task/1133/attr/keycreate
^[^#]*/proc/1133/task/1133/attr/sockcreate
^[^#]*/proc/1133/task/1289/attr/fscreate
^[^#]*/proc/1133/task/1293/attr/fscreate
^[^#]*/proc/1133/task/1293/attr/keycreate
^[^#]*/proc/1133/task/1289/attr/current
^[^#]*/proc/1133/task/1289/attr/exec
^[^#]*/proc/1133/task/1289/attr/keycreate
^[^#]*/proc/1133/task/1289/attr/sockcreate
^[^#]*/proc/1133/timerslack_ns
^[^#]*/proc/1137/task/1137/attr/exec
^[^#]*/proc/1395/attr/exec
^[^#]*/proc/1133/task/1133/attr/current
^[^#]*/proc/1133/task/1133/attr/fscreate
^[^#]*/proc/1133/task/1293/attr/exec
^[^#]*/proc/1133/task/1293/attr/sockcreate
^[^#]*/proc/1133/task/1294/attr/current
^[^#]*/proc/1133/task/1294/attr/exec
^[^#]*/proc/1133/task/1293/attr/current
^[^#]*/proc/1133/attr/exec
^[^#]*/proc/1133/attr/keycreate
^[^#]*/proc/1133/task/1294/attr/keycreate
^[^#]*/proc/1133/task/1294/attr/sockcreate
^[^#]*/proc/1133/task/1294/attr/fscreate
^[^#]*/proc/1133/attr/current
^[^#]*/proc/1133/attr/fscreate
^[^#]*/proc/1133/attr/sockcreate
^[^#]*/proc/1137/task/1137/attr/current
^[^#]*/proc/1137/task/1137/attr/keycreate
^[^#]*/proc/1137/task/1137/attr/sockcreate
^[^#]*/proc/1137/attr/exec
^[^#]*/proc/1137/attr/current
^[^#]*/proc/1137/attr/fscreate
^[^#]*/proc/1137/attr/keycreate
^[^#]*/proc/1137/attr/sockcreate
^[^#]*/proc/1137/timerslack_ns
^[^#]*/proc/1295/attr/exec
^[^#]*/proc/1137/task/1137/attr/fscreate
^[^#]*/proc/1295/task/1295/attr/exec
^[^#]*/proc/1295/task/1295/attr/keycreate
^[^#]*/proc/1295/task/1295/attr/sockcreate
^[^#]*/proc/1295/attr/fscreate
^[^#]*/proc/1295/attr/keycreate
^[^#]*/proc/1295/attr/sockcreate
^[^#]*/proc/1295/timerslack_ns
^[^#]*/proc/1395/task/1395/attr/exec
^[^#]*/proc/1295/task/1295/attr/current
^[^#]*/proc/1295/attr/current
^[^#]*/proc/1295/task/1295/attr/fscreate
^[^#]*/proc/1395/attr/current
^[^#]*/proc/1395/task/1395/attr/keycreate
^[^#]*/proc/1395/task/1395/attr/sockcreate
^[^#]*/proc/1395/task/1395/attr/current
^[^#]*/proc/1395/attr/fscreate
^[^#]*/proc/1395/attr/sockcreate
^[^#]*/proc/1395/timerslack_ns
^[^#]*/proc/1396/task/1396/attr/exec
^[^#]*/proc/1396/task/1396/attr/current
^[^#]*/proc/1396/attr/fscreate
^[^#]*/proc/1396/timerslack_ns
^[^#]*/proc/1395/task/1395/attr/fscreate
^[^#]*/proc/1395/attr/keycreate
^[^#]*/proc/1396/task/1396/attr/keycreate
^[^#]*/proc/1396/task/1396/attr/sockcreate
^[^#]*/proc/1396/attr/exec
^[^#]*/proc/1396/attr/sockcreate
^[^#]*/proc/1439/attr/fscreate
^[^#]*/proc/1439/task/1439/attr/exec
^[^#]*/proc/1439/attr/exec
^[^#]*/proc/1396/attr/current
^[^#]*/proc/1396/task/1396/attr/fscreate
^[^#]*/proc/1396/attr/keycreate
^[^#]*/proc/1441/attr/current
^[^#]*/proc/1439/attr/current
^[^#]*/proc/1439/task/1439/attr/keycreate
^[^#]*/proc/1439/task/1439/attr/sockcreate
^[^#]*/proc/1439/attr/keycreate
^[^#]*/proc/1439/attr/sockcreate
^[^#]*/proc/1439/timerslack_ns
^[^#]*/proc/1441/task/1441/attr/exec
^[^#]*/proc/1441/attr/exec
^[^#]*/proc/1439/task/1439/attr/current
^[^#]*/proc/1439/task/1439/attr/fscreate
^[^#]*/proc/1441/attr/fscreate
^[^#]*/proc/1441/attr/keycreate
^[^#]*/proc/1441/attr/sockcreate
^[^#]*/proc/1441/task/1441/attr/keycreate
^[^#]*/proc/1441/task/1441/attr/sockcreate
^[^#]*/proc/1441/timerslack_ns
^[^#]*/proc/1442/attr/exec
^[^#]*/proc/1441/task/1441/attr/current
^[^#]*/proc/1441/task/1441/attr/fscreate
^[^#]*/proc/1442/task/1442/attr/keycreate
^[^#]*/proc/1442/task/1442/attr/sockcreate
^[^#]*/proc/1442/task/1574/attr/fscreate
^[^#]*/proc/1442/attr/fscreate
^[^#]*/proc/1446/attr/current
^[^#]*/proc/1442/task/1565/attr/current
^[^#]*/proc/1442/task/1565/attr/exec
^[^#]*/proc/1442/task/1565/attr/keycreate
^[^#]*/proc/1442/attr/keycreate
^[^#]*/proc/1442/timerslack_ns
^[^#]*/proc/1442/task/1442/attr/exec
^[^#]*/proc/1442/task/1442/attr/current
^[^#]*/proc/1442/task/1442/attr/fscreate
^[^#]*/proc/1442/task/1565/attr/fscreate
^[^#]*/proc/1442/task/1565/attr/sockcreate
^[^#]*/proc/1442/task/1574/attr/exec
^[^#]*/proc/1442/task/1574/attr/current
^[^#]*/proc/1442/task/1574/attr/keycreate
^[^#]*/proc/1442/task/1574/attr/sockcreate
^[^#]*/proc/1442/attr/current
^[^#]*/proc/1446/attr/keycreate
^[^#]*/proc/1446/task/1446/attr/current
^[^#]*/proc/1442/attr/sockcreate
^[^#]*/proc/1446/attr/sockcreate
^[^#]*/proc/1446/task/1446/attr/exec
^[^#]*/proc/1446/task/1446/attr/keycreate
^[^#]*/proc/1446/task/1446/attr/sockcreate
^[^#]*/proc/1446/attr/fscreate
^[^#]*/proc/1446/timerslack_ns
^[^#]*/proc/1447/task/1447/attr/exec
^[^#]*/proc/1447/task/1447/attr/current
^[^#]*/proc/1446/task/1446/attr/fscreate
^[^#]*/proc/1447/attr/current
^[^#]*/proc/1447/task/1447/attr/sockcreate
^[^#]*/proc/1447/attr/exec
^[^#]*/proc/1447/attr/fscreate
^[^#]*/proc/1447/attr/keycreate
^[^#]*/proc/1447/attr/sockcreate
^[^#]*/proc/1447/timerslack_ns
^[^#]*/proc/1448/task/1448/attr/exec
^[^#]*/proc/1447/task/1447/attr/fscreate
^[^#]*/proc/1447/task/1447/attr/keycreate
^[^#]*/proc/1449/attr/exec
^[^#]*/proc/1448/task/1448/attr/keycreate
^[^#]*/proc/1448/task/1448/attr/sockcreate
^[^#]*/proc/1448/attr/exec
^[^#]*/proc/1448/attr/fscreate
^[^#]*/proc/1448/attr/current
^[^#]*/proc/1448/attr/keycreate
^[^#]*/proc/1448/attr/sockcreate
^[^#]*/proc/1448/timerslack_ns
^[^#]*/proc/1449/task/1449/attr/current
^[^#]*/proc/1448/task/1448/attr/current
^[^#]*/proc/1448/task/1448/attr/fscreate
^[^#]*/proc/3457/attr/exec
^[^#]*/proc/1449/task/1449/attr/exec
^[^#]*/proc/1449/task/1449/attr/sockcreate
^[^#]*/proc/1449/attr/current
^[^#]*/proc/1449/attr/keycreate
^[^#]*/proc/1449/attr/fscreate
^[^#]*/proc/1449/attr/sockcreate
^[^#]*/proc/1449/timerslack_ns
^[^#]*/proc/3457/task/3457/attr/exec
^[^#]*/proc/1449/task/1449/attr/fscreate
^[^#]*/proc/1449/task/1449/attr/keycreate
^[^#]*/proc/3457/task/4337/attr/exec
^[^#]*/proc/3457/task/3457/attr/current
^[^#]*/proc/3457/task/3457/attr/keycreate
^[^#]*/proc/3457/task/3457/attr/sockcreate
^[^#]*/proc/3457/task/4336/attr/exec
^[^#]*/proc/3457/task/4336/attr/fscreate
^[^#]*/proc/3457/task/4338/attr/exec
^[^#]*/proc/3457/task/4336/attr/current
^[^#]*/proc/3457/attr/keycreate
^[^#]*/proc/3457/timerslack_ns
^[^#]*/proc/278441/task/278441/attr/exec
^[^#]*/proc/3457/task/3457/attr/fscreate
^[^#]*/proc/3457/task/4336/attr/keycreate
^[^#]*/proc/3457/task/4336/attr/sockcreate
^[^#]*/proc/3457/task/4337/attr/current
^[^#]*/proc/3457/task/4340/attr/fscreate
^[^#]*/proc/3457/attr/fscreate
^[^#]*/proc/3457/task/4338/attr/fscreate
^[^#]*/proc/3457/task/4337/attr/fscreate
^[^#]*/proc/3457/task/4337/attr/keycreate
^[^#]*/proc/3457/task/4337/attr/sockcreate
^[^#]*/proc/3457/task/4338/attr/current
^[^#]*/proc/3457/task/4338/attr/keycreate
^[^#]*/proc/3457/task/4338/attr/sockcreate
^[^#]*/proc/3457/task/4340/attr/current
^[^#]*/proc/3457/task/4340/attr/exec
^[^#]*/proc/278441/attr/current
^[^#]*/proc/3457/task/4340/attr/keycreate
^[^#]*/proc/3457/task/4340/attr/sockcreate
^[^#]*/proc/3457/attr/current
^[^#]*/proc/3457/attr/sockcreate
^[^#]*/proc/278441/task/278441/attr/current
^[^#]*/proc/278441/task/278441/attr/keycreate
^[^#]*/proc/278441/task/278441/attr/sockcreate
^[^#]*/proc/278441/attr/fscreate
^[^#]*/proc/278441/attr/exec
^[^#]*/proc/278441/attr/sockcreate
^[^#]*/proc/278441/timerslack_ns
^[^#]*/proc/278441/task/278441/attr/fscreate
^[^#]*/proc/278441/attr/keycreate
^[^#]*/proc/395365/task/395365/attr/sockcreate
^[^#]*/proc/395365/attr/fscreate
^[^#]*/proc/395365/task/395365/attr/exec
^[^#]*/proc/395365/task/395365/attr/current
^[^#]*/proc/395365/attr/exec
^[^#]*/proc/395365/attr/sockcreate
^[^#]*/proc/395365/timerslack_ns
^[^#]*/proc/395457/task/395457/attr/exec
^[^#]*/proc/395457/attr/fscreate
^[^#]*/proc/395365/task/395365/attr/fscreate
^[^#]*/proc/395365/task/395365/attr/keycreate
^[^#]*/proc/395365/attr/current
^[^#]*/proc/395365/attr/keycreate
^[^#]*/proc/395457/attr/exec
^[^#]*/proc/395457/attr/current
^[^#]*/proc/395457/task/395457/attr/current
^[^#]*/proc/395457/task/395457/attr/keycreate
^[^#]*/proc/395457/task/395457/attr/sockcreate
^[^#]*/proc/395457/attr/sockcreate
^[^#]*/proc/395457/timerslack_ns
^[^#]*/proc/395738/attr/fscreate
^[^#]*/proc/395457/task/395457/attr/fscreate
^[^#]*/proc/395457/attr/keycreate
^[^#]*/proc/395738/attr/exec
^[^#]*/proc/395738/attr/current
^[^#]*/proc/395738/task/395738/attr/current
^[^#]*/proc/395738/task/395738/attr/keycreate
^[^#]*/proc/395738/task/395738/attr/sockcreate
^[^#]*/proc/395738/attr/sockcreate
^[^#]*/proc/395738/timerslack_ns
^[^#]*/proc/395757/attr/current
^[^#]*/proc/395751/attr/current
^[^#]*/proc/395738/task/395738/attr/exec
^[^#]*/proc/395738/task/395738/attr/fscreate
^[^#]*/proc/395738/attr/keycreate
^[^#]*/proc/395751/attr/fscreate
^[^#]*/proc/395751/task/395751/attr/current
^[^#]*/proc/395751/task/395751/attr/keycreate
^[^#]*/proc/395751/task/395751/attr/sockcreate
^[^#]*/proc/395751/attr/exec
^[^#]*/proc/395751/attr/keycreate
^[^#]*/proc/395751/attr/sockcreate
^[^#]*/proc/395757/attr/exec
^[^#]*/proc/395751/task/395751/attr/exec
^[^#]*/proc/395751/task/395751/attr/fscreate
^[^#]*/proc/395751/timerslack_ns
^[^#]*/proc/395757/task/395757/attr/keycreate
^[^#]*/proc/395757/task/395757/attr/sockcreate
^[^#]*/proc/395757/task/395757/attr/exec
^[^#]*/proc/395757/attr/fscreate
^[^#]*/proc/395757/attr/keycreate
^[^#]*/proc/395757/attr/sockcreate
^[^#]*/proc/395757/timerslack_ns
^[^#]*/proc/395759/task/395759/attr/exec
^[^#]*/proc/395759/attr/current
^[^#]*/proc/395757/task/395757/attr/fscreate
^[^#]*/proc/395757/task/395757/attr/current
^[^#]*/proc/395759/task/395759/attr/current
^[^#]*/proc/395759/task/395759/attr/sockcreate
^[^#]*/proc/395766/attr/exec
^[^#]*/proc/395759/timerslack_ns
^[^#]*/proc/395760/task/395760/attr/exec
^[^#]*/proc/395759/attr/sockcreate
^[^#]*/proc/395760/attr/exec
^[^#]*/proc/395760/attr/fscreate
^[^#]*/proc/395759/task/395759/attr/fscreate
^[^#]*/proc/395759/task/395759/attr/keycreate
^[^#]*/proc/395759/attr/fscreate
^[^#]*/proc/395759/attr/exec
^[^#]*/proc/395759/attr/keycreate
^[^#]*/proc/395760/task/395760/attr/current
^[^#]*/proc/395760/task/395760/attr/keycreate
^[^#]*/proc/395760/task/395760/attr/sockcreate
^[^#]*/proc/395760/attr/keycreate
^[^#]*/proc/395760/attr/sockcreate
^[^#]*/proc/395766/attr/fscreate
^[^#]*/proc/399947/attr/current
^[^#]*/proc/395766/task/395766/attr/exec
^[^#]*/proc/395766/attr/current
^[^#]*/proc/395760/task/395760/attr/fscreate
^[^#]*/proc/395760/attr/current
^[^#]*/proc/395760/timerslack_ns
^[^#]*/proc/395766/task/395766/attr/current
^[^#]*/proc/395766/task/395766/attr/keycreate
^[^#]*/proc/395766/task/395766/attr/sockcreate
^[^#]*/proc/395766/attr/sockcreate
^[^#]*/proc/395766/timerslack_ns
^[^#]*/proc/399947/attr/keycreate
^[^#]*/proc/395766/task/395766/attr/fscreate
^[^#]*/proc/395766/attr/keycreate
^[^#]*/proc/399947/attr/exec
^[^#]*/proc/399947/task/399947/attr/current
^[^#]*/proc/399947/task/399947/attr/exec
^[^#]*/proc/399947/task/399947/attr/keycreate
^[^#]*/proc/399947/task/399947/attr/sockcreate
^[^#]*/proc/399947/timerslack_ns
^[^#]*/proc/399947/attr/fscreate
^[^#]*/proc/399947/task/399947/attr/fscreate
^[^#]*/proc/399947/attr/sockcreate
^[^#]*/proc/451716/attr/fscreate
^[^#]*/proc/451716/task/451716/attr/current
^[^#]*/proc/451716/task/451716/attr/keycreate
^[^#]*/proc/451716/task/451716/attr/sockcreate
^[^#]*/proc/451716/task/451716/attr/exec
^[^#]*/proc/451716/attr/sockcreate
^[^#]*/proc/451716/timerslack_ns
^[^#]*/proc/493723/task/493723/attr/exec
^[^#]*/proc/451716/attr/current
^[^#]*/proc/493723/attr/current
^[^#]*/proc/451716/task/451716/attr/fscreate
^[^#]*/proc/451716/attr/keycreate
^[^#]*/proc/493723/task/493723/attr/current
^[^#]*/proc/493723/task/493723/attr/keycreate
^[^#]*/proc/493723/task/493723/attr/sockcreate
^[^#]*/proc/493723/attr/fscreate
^[^#]*/proc/493723/attr/exec
^[^#]*/proc/493723/timerslack_ns
^[^#]*/proc/499826/attr/keycreate
^[^#]*/proc/493723/attr/sockcreate
^[^#]*/proc/499826/task/499826/attr/exec
^[^#]*/proc/493723/task/493723/attr/fscreate
^[^#]*/proc/493723/attr/keycreate
^[^#]*/proc/499826/task/499826/attr/current
^[^#]*/proc/499826/task/499826/attr/keycreate
^[^#]*/proc/499826/task/499826/attr/sockcreate
^[^#]*/proc/499826/attr/exec
^[^#]*/proc/499826/attr/fscreate
^[^#]*/proc/499826/timerslack_ns
^[^#]*/proc/502165/task/502165/attr/exec
^[^#]*/proc/502165/attr/keycreate
^[^#]*/proc/499826/task/499826/attr/fscreate
^[^#]*/proc/499826/attr/current
^[^#]*/proc/499826/attr/sockcreate
^[^#]*/proc/502165/attr/current
^[^#]*/proc/502165/task/502165/attr/keycreate
^[^#]*/proc/502165/task/502165/attr/sockcreate
^[^#]*/proc/509560/attr/exec
^[^#]*/proc/502165/task/502165/attr/current
^[^#]*/proc/502165/attr/fscreate
^[^#]*/proc/502165/timerslack_ns
^[^#]*/proc/509539/attr/current
^[^#]*/proc/502165/task/502165/attr/fscreate
^[^#]*/proc/502165/attr/exec
^[^#]*/proc/502165/attr/sockcreate
^[^#]*/proc/509539/task/509539/attr/current
^[^#]*/proc/509539/task/509539/attr/exec
^[^#]*/proc/509539/task/509539/attr/keycreate
^[^#]*/proc/509539/task/509539/attr/sockcreate
^[^#]*/proc/509539/attr/exec
^[^#]*/proc/509539/attr/fscreate
^[^#]*/proc/509539/attr/sockcreate
^[^#]*/proc/509539/attr/keycreate
^[^#]*/proc/509560/attr/fscreate
^[^#]*/proc/509562/attr/exec
^[^#]*/proc/509539/task/509539/attr/fscreate
^[^#]*/proc/509539/timerslack_ns
^[^#]*/proc/509560/task/509560/attr/sockcreate
^[^#]*/proc/509560/attr/current
^[^#]*/proc/509560/task/509560/attr/current
^[^#]*/proc/509560/attr/sockcreate
^[^#]*/proc/509560/timerslack_ns
^[^#]*/proc/509562/attr/fscreate
^[^#]*/proc/509563/task/509563/attr/exec
^[^#]*/proc/509562/attr/current
^[^#]*/proc/509560/task/509560/attr/exec
^[^#]*/proc/509560/task/509560/attr/fscreate
^[^#]*/proc/509560/task/509560/attr/keycreate
^[^#]*/proc/509560/attr/keycreate
^[^#]*/proc/509562/task/509562/attr/sockcreate
^[^#]*/proc/509562/task/509562/attr/current
^[^#]*/proc/509562/task/509562/attr/exec
^[^#]*/proc/509562/attr/sockcreate
^[^#]*/proc/509562/timerslack_ns
^[^#]*/proc/509562/task/509562/attr/fscreate
^[^#]*/proc/509562/task/509562/attr/keycreate
^[^#]*/proc/509562/attr/keycreate
^[^#]*/proc/509563/task/509563/attr/current
^[^#]*/proc/509563/task/509563/attr/keycreate
^[^#]*/proc/509563/task/509563/attr/sockcreate
^[^#]*/proc/509566/attr/exec
^[^#]*/proc/509563/attr/fscreate
^[^#]*/proc/509563/attr/exec
^[^#]*/proc/509563/attr/current
^[^#]*/proc/509563/attr/keycreate
^[^#]*/proc/509563/attr/sockcreate
^[^#]*/proc/509563/task/509563/attr/fscreate
^[^#]*/proc/509563/timerslack_ns
^[^#]*/proc/509564/task/509564/attr/current
^[^#]*/proc/509564/task/509564/attr/keycreate
^[^#]*/proc/509564/task/509564/attr/sockcreate
^[^#]*/proc/509564/attr/exec
^[^#]*/proc/509564/task/509564/attr/exec
^[^#]*/proc/509564/attr/fscreate
^[^#]*/proc/509564/attr/sockcreate
^[^#]*/proc/509564/attr/keycreate
^[^#]*/proc/509564/attr/current
^[^#]*/proc/509564/task/509564/attr/fscreate
^[^#]*/proc/509564/timerslack_ns
^[^#]*/proc/509566/task/509566/attr/fscreate
^[^#]*/proc/509566/task/509566/attr/current
^[^#]*/proc/509566/task/509566/attr/keycreate
^[^#]*/proc/509566/task/509566/attr/exec
^[^#]*/proc/509566/task/509567/attr/fscreate
^[^#]*/proc/509566/task/509567/attr/exec
^[^#]*/proc/509566/task/509566/attr/sockcreate
^[^#]*/proc/509566/task/509567/attr/current
^[^#]*/proc/509566/task/509567/attr/keycreate
^[^#]*/proc/509566/task/509567/attr/sockcreate
^[^#]*/proc/509566/task/509568/attr/fscreate
^[^#]*/proc/509566/task/509568/attr/exec
^[^#]*/proc/509566/task/509568/attr/keycreate
^[^#]*/proc/509566/task/509568/attr/sockcreate
^[^#]*/proc/509566/task/509568/attr/current
^[^#]*/proc/509566/task/509569/attr/current
^[^#]*/proc/509566/task/509569/attr/sockcreate
^[^#]*/proc/509566/task/509571/attr/fscreate
^[^#]*/proc/509566/task/509571/attr/exec
^[^#]*/proc/509566/task/509569/attr/keycreate
^[^#]*/proc/509566/task/509569/attr/fscreate
^[^#]*/proc/509566/task/509569/attr/exec
^[^#]*/proc/509566/task/509571/attr/keycreate
^[^#]*/proc/509566/task/509571/attr/sockcreate
^[^#]*/proc/509566/task/509571/attr/current
^[^#]*/proc/509566/task/509572/attr/exec
^[^#]*/proc/509566/task/509572/attr/keycreate
^[^#]*/proc/509566/task/509573/attr/fscreate
^[^#]*/proc/509566/task/509572/attr/fscreate
^[^#]*/proc/509566/task/509572/attr/current
^[^#]*/proc/509566/task/509572/attr/sockcreate
^[^#]*/proc/509566/task/509573/attr/exec
^[^#]*/proc/509566/task/509573/attr/keycreate
^[^#]*/proc/509566/task/509573/attr/sockcreate
^[^#]*/proc/509566/task/509573/attr/current
^[^#]*/proc/509566/task/509575/attr/exec
^[^#]*/proc/509566/task/509575/attr/keycreate
^[^#]*/proc/509566/task/509576/attr/fscreate
^[^#]*/proc/509566/task/509575/attr/current
^[^#]*/proc/509566/task/509576/attr/exec
^[^#]*/proc/509566/task/509575/attr/fscreate
^[^#]*/proc/509566/task/509575/attr/sockcreate
^[^#]*/proc/509566/task/509576/attr/keycreate
^[^#]*/proc/509566/task/509576/attr/sockcreate
^[^#]*/proc/509566/task/509576/attr/current
^[^#]*/proc/509566/task/509577/attr/exec
^[^#]*/proc/509566/task/509577/attr/keycreate
^[^#]*/proc/509566/task/509579/attr/fscreate
^[^#]*/proc/509566/task/509577/attr/fscreate
^[^#]*/proc/509566/task/509577/attr/current
^[^#]*/proc/509566/task/509577/attr/sockcreate
^[^#]*/proc/509566/task/509579/attr/exec
^[^#]*/proc/509566/task/509579/attr/keycreate
^[^#]*/proc/509566/task/509579/attr/sockcreate
^[^#]*/proc/509566/task/509579/attr/current
^[^#]*/proc/509566/task/509580/attr/exec
^[^#]*/proc/509566/task/509580/attr/keycreate
^[^#]*/proc/509566/task/509581/attr/fscreate
^[^#]*/proc/509566/task/509580/attr/current
^[^#]*/proc/509566/task/509581/attr/exec
^[^#]*/proc/509566/task/509580/attr/fscreate
^[^#]*/proc/509566/task/509580/attr/sockcreate
^[^#]*/proc/509566/task/509581/attr/keycreate
^[^#]*/proc/509566/task/509581/attr/sockcreate
^[^#]*/proc/509566/task/509581/attr/current
^[^#]*/proc/509566/task/509583/attr/exec
^[^#]*/proc/509566/task/509583/attr/keycreate
^[^#]*/proc/509566/task/509584/attr/fscreate
^[^#]*/proc/509566/task/509583/attr/fscreate
^[^#]*/proc/509566/task/509583/attr/current
^[^#]*/proc/509566/task/509583/attr/sockcreate
^[^#]*/proc/509566/task/509584/attr/exec
^[^#]*/proc/509566/task/509584/attr/keycreate
^[^#]*/proc/509566/task/509584/attr/sockcreate
^[^#]*/proc/509566/task/509584/attr/current
^[^#]*/proc/509566/task/509585/attr/exec
^[^#]*/proc/509566/task/509585/attr/keycreate
^[^#]*/proc/509566/task/509587/attr/fscreate
^[^#]*/proc/509566/task/509585/attr/current
^[^#]*/proc/509566/task/509587/attr/exec
^[^#]*/proc/509566/task/509585/attr/fscreate
^[^#]*/proc/509566/task/509585/attr/sockcreate
^[^#]*/proc/509566/task/509587/attr/keycreate
^[^#]*/proc/509566/task/509587/attr/sockcreate
^[^#]*/proc/509566/task/509587/attr/current
^[^#]*/proc/509566/task/509588/attr/exec
^[^#]*/proc/509566/task/509588/attr/keycreate
^[^#]*/proc/509566/task/509589/attr/fscreate
^[^#]*/proc/509566/task/509588/attr/fscreate
^[^#]*/proc/509566/task/509588/attr/current
^[^#]*/proc/509566/task/509588/attr/sockcreate
^[^#]*/proc/509566/task/509589/attr/exec
^[^#]*/proc/509566/task/509589/attr/keycreate
^[^#]*/proc/509566/task/509589/attr/sockcreate
^[^#]*/proc/509566/task/509589/attr/current
^[^#]*/proc/509566/task/509592/attr/exec
^[^#]*/proc/509566/task/509592/attr/keycreate
^[^#]*/proc/509566/task/509593/attr/fscreate
^[^#]*/proc/509566/task/509592/attr/current
^[^#]*/proc/509566/task/509593/attr/exec
^[^#]*/proc/509566/task/509592/attr/fscreate
^[^#]*/proc/509566/task/509592/attr/sockcreate
^[^#]*/proc/509566/task/509593/attr/keycreate
^[^#]*/proc/509566/task/509593/attr/sockcreate
^[^#]*/proc/509566/task/509593/attr/current
^[^#]*/proc/509566/task/509594/attr/exec
^[^#]*/proc/509566/task/509594/attr/keycreate
^[^#]*/proc/509566/task/509607/attr/fscreate
^[^#]*/proc/509566/task/509594/attr/fscreate
^[^#]*/proc/509566/task/509594/attr/current
^[^#]*/proc/509566/task/509594/attr/sockcreate
^[^#]*/proc/509566/task/509607/attr/exec
^[^#]*/proc/509566/task/509607/attr/keycreate
^[^#]*/proc/509566/task/509607/attr/sockcreate
^[^#]*/proc/509566/task/509607/attr/current
^[^#]*/proc/509566/task/509608/attr/exec
^[^#]*/proc/509566/task/509608/attr/keycreate
^[^#]*/proc/509566/task/509609/attr/fscreate
^[^#]*/proc/509566/task/509608/attr/current
^[^#]*/proc/509566/task/509609/attr/exec
^[^#]*/proc/509566/task/509608/attr/fscreate
^[^#]*/proc/509566/task/509608/attr/sockcreate
^[^#]*/proc/509566/task/509609/attr/keycreate
^[^#]*/proc/509566/task/509609/attr/sockcreate
^[^#]*/proc/509566/task/509609/attr/current
^[^#]*/proc/509566/task/509612/attr/exec
^[^#]*/proc/509566/task/509612/attr/keycreate
^[^#]*/proc/509566/task/509613/attr/fscreate
^[^#]*/proc/509566/task/509612/attr/fscreate
^[^#]*/proc/509566/task/509612/attr/current
^[^#]*/proc/509566/task/509612/attr/sockcreate
^[^#]*/proc/509566/task/509613/attr/exec
^[^#]*/proc/509566/task/509613/attr/keycreate
^[^#]*/proc/509566/task/509613/attr/sockcreate
^[^#]*/proc/509566/task/509613/attr/current
^[^#]*/proc/509566/task/509614/attr/exec
^[^#]*/proc/509566/task/509614/attr/keycreate
^[^#]*/proc/509566/task/509616/attr/fscreate
^[^#]*/proc/509566/task/509614/attr/current
^[^#]*/proc/509566/task/509616/attr/exec
^[^#]*/proc/509566/task/509614/attr/fscreate
^[^#]*/proc/509566/task/509614/attr/sockcreate
^[^#]*/proc/509566/task/509616/attr/keycreate
^[^#]*/proc/509566/task/509616/attr/sockcreate
^[^#]*/proc/509566/task/509616/attr/current
^[^#]*/proc/509566/task/509617/attr/exec
^[^#]*/proc/509566/task/509617/attr/keycreate
^[^#]*/proc/509566/task/509618/attr/fscreate
^[^#]*/proc/509566/task/509617/attr/fscreate
^[^#]*/proc/509566/task/509617/attr/current
^[^#]*/proc/509566/task/509617/attr/sockcreate
^[^#]*/proc/509566/task/509618/attr/exec
^[^#]*/proc/509566/task/509618/attr/keycreate
^[^#]*/proc/509566/task/509618/attr/sockcreate
^[^#]*/proc/509566/task/509618/attr/current
^[^#]*/proc/509566/task/509621/attr/exec
^[^#]*/proc/509566/task/509621/attr/keycreate
^[^#]*/proc/509566/task/509622/attr/fscreate
^[^#]*/proc/509566/task/509621/attr/current
^[^#]*/proc/509566/task/509622/attr/exec
^[^#]*/proc/509566/task/509621/attr/fscreate
^[^#]*/proc/509566/task/509621/attr/sockcreate
^[^#]*/proc/509566/task/509622/attr/keycreate
^[^#]*/proc/509566/task/509622/attr/sockcreate
^[^#]*/proc/509566/task/509622/attr/current
^[^#]*/proc/509566/task/509623/attr/exec
^[^#]*/proc/509566/task/509623/attr/keycreate
^[^#]*/proc/509566/task/509632/attr/fscreate
^[^#]*/proc/509566/task/509623/attr/fscreate
^[^#]*/proc/509566/task/509623/attr/current
^[^#]*/proc/509566/task/509623/attr/sockcreate
^[^#]*/proc/509566/task/509632/attr/exec
^[^#]*/proc/509566/task/509632/attr/keycreate
^[^#]*/proc/509566/task/509632/attr/sockcreate
^[^#]*/proc/509566/task/509632/attr/current
^[^#]*/proc/509566/task/509633/attr/exec
^[^#]*/proc/509566/task/509633/attr/keycreate
^[^#]*/proc/509566/task/509634/attr/fscreate
^[^#]*/proc/509566/task/509633/attr/current
^[^#]*/proc/509566/task/509634/attr/exec
^[^#]*/proc/509566/task/509633/attr/fscreate
^[^#]*/proc/509566/task/509633/attr/sockcreate
^[^#]*/proc/509566/task/509634/attr/keycreate
^[^#]*/proc/509566/task/509634/attr/sockcreate
^[^#]*/proc/509566/task/509634/attr/current
^[^#]*/proc/509566/task/509639/attr/exec
^[^#]*/proc/509566/task/509639/attr/keycreate
^[^#]*/proc/509566/task/509640/attr/fscreate
^[^#]*/proc/509566/task/509639/attr/fscreate
^[^#]*/proc/509566/task/509639/attr/current
^[^#]*/proc/509566/task/509639/attr/sockcreate
^[^#]*/proc/509566/task/509640/attr/exec
^[^#]*/proc/509566/task/509640/attr/keycreate
^[^#]*/proc/509566/task/509640/attr/sockcreate
^[^#]*/proc/509566/task/509640/attr/current
^[^#]*/proc/509566/task/509641/attr/exec
^[^#]*/proc/509566/task/509641/attr/keycreate
^[^#]*/proc/509566/task/509659/attr/fscreate
^[^#]*/proc/509566/task/509641/attr/current
^[^#]*/proc/509566/task/509659/attr/exec
^[^#]*/proc/509566/task/509641/attr/fscreate
^[^#]*/proc/509566/task/509641/attr/sockcreate
^[^#]*/proc/509566/task/509659/attr/keycreate
^[^#]*/proc/509566/task/509659/attr/sockcreate
^[^#]*/proc/509566/task/509659/attr/current
^[^#]*/proc/509566/task/509660/attr/exec
^[^#]*/proc/509566/task/509660/attr/keycreate
^[^#]*/proc/509566/task/509661/attr/fscreate
^[^#]*/proc/509566/task/509660/attr/fscreate
^[^#]*/proc/509566/task/509660/attr/current
^[^#]*/proc/509566/task/509660/attr/sockcreate
^[^#]*/proc/509566/task/509661/attr/exec
^[^#]*/proc/509566/task/509661/attr/keycreate
^[^#]*/proc/509566/task/509661/attr/sockcreate
^[^#]*/proc/509566/task/509661/attr/current
^[^#]*/proc/509566/task/509709/attr/exec
^[^#]*/proc/509566/task/509709/attr/keycreate
^[^#]*/proc/509566/task/509710/attr/fscreate
^[^#]*/proc/509566/task/509709/attr/current
^[^#]*/proc/509566/task/509710/attr/exec
^[^#]*/proc/509566/task/509709/attr/fscreate
^[^#]*/proc/509566/task/509709/attr/sockcreate
^[^#]*/proc/509566/task/509710/attr/keycreate
^[^#]*/proc/509566/task/509710/attr/sockcreate
^[^#]*/proc/509566/task/509710/attr/current
^[^#]*/proc/509566/task/509711/attr/exec
^[^#]*/proc/509566/task/509711/attr/keycreate
^[^#]*/proc/509566/task/509726/attr/fscreate
^[^#]*/proc/509566/task/509711/attr/fscreate
^[^#]*/proc/509566/task/509711/attr/current
^[^#]*/proc/509566/task/509711/attr/sockcreate
^[^#]*/proc/509566/task/509726/attr/exec
^[^#]*/proc/509566/task/509726/attr/keycreate
^[^#]*/proc/509566/task/509726/attr/sockcreate
^[^#]*/proc/509566/task/509726/attr/current
^[^#]*/proc/509566/task/509727/attr/exec
^[^#]*/proc/509566/task/509727/attr/keycreate
^[^#]*/proc/509566/task/509728/attr/fscreate
^[^#]*/proc/509566/task/509727/attr/current
^[^#]*/proc/509566/task/509728/attr/exec
^[^#]*/proc/509566/task/509727/attr/fscreate
^[^#]*/proc/509566/task/509727/attr/sockcreate
^[^#]*/proc/509566/task/509728/attr/keycreate
^[^#]*/proc/509566/task/509728/attr/sockcreate
^[^#]*/proc/509566/task/509728/attr/current
^[^#]*/proc/509566/task/509747/attr/exec
^[^#]*/proc/509566/task/509747/attr/keycreate
^[^#]*/proc/509566/attr/current
^[^#]*/proc/509566/attr/keycreate
^[^#]*/proc/509566/task/509747/attr/fscreate
^[^#]*/proc/509566/task/509747/attr/current
^[^#]*/proc/509566/task/509747/attr/sockcreate
^[^#]*/proc/509566/attr/fscreate
^[^#]*/proc/509566/attr/sockcreate
^[^#]*/proc/509566/timerslack_ns
^[^#]*/sys/fs/selinux/access
^[^#]*/sys/fs/selinux/context
^[^#]*/sys/fs/cgroup/memory/user\.slice/cgroup\.event_control
^[^#]*/sys/fs/selinux/create
^[^#]*/sys/fs/selinux/member
^[^#]*/sys/fs/cgroup/memory/user\.slice/user-1000\.slice/user-runtime-dir@1000\.service/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/init\.scope/cgroup\.event_control
^[^#]*/sys/fs/selinux/user
^[^#]*/sys/fs/selinux/relabel
^[^#]*/sys/fs/cgroup/memory/user\.slice/user-1000\.slice/session-17\.scope/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/user\.slice/user-1000\.slice/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/user\.slice/user-1000\.slice/user@1000\.service/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/rngd\.service/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/system-systemd\\x2dfsck\.slice/systemd-fsck@dev-disk-by\\x2duuid-F5ED\\x2dF457\.service/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/systemd-update-utmp\.service/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/libstoragemgmt\.service/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/system-systemd\\x2dfsck\.slice/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/irqbalance\.service/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/iscsid\.socket/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/systemd-udevd-control\.socket/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/lvm2-monitor\.service/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/systemd-journal-flush\.service/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/systemd-sysctl\.service/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/systemd-udevd\.service/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/systemd-udevd-kernel\.socket/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/system-serial\\x2dgetty\.slice/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/system-serial\\x2dgetty\.slice/serial-getty@ttyS0\.service/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/rngd-wake-threshold\.service/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/boot\.mount/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/import-state\.service/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/sys-kernel-config\.mount/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/polkit\.service/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/systemd-remount-fs\.service/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/chronyd\.service/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/sys-kernel-debug\.mount/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/lvm2-lvmpolld\.socket/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/auditd\.service/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/home\.mount/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/mnt\.mount/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/tuned\.service/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/system-sshd\\x2dkeygen\.slice/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/systemd-tmpfiles-setup\.service/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/-\.mount/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/systemd-journald-dev-log\.socket/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/systemd-coredump\.socket/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/kdump\.service/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/cloud-init-local\.service/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/systemd-journald\.service/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/atd\.service/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/systemd-udev-trigger\.service/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/sshd\.service/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/vdo\.service/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/dev-mqueue\.mount/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/crond\.service/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/systemd-initctl\.socket/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/NetworkManager\.service/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/iscsi-shutdown\.service/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/systemd-random-seed\.service/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/dbus\.socket/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/cloud-final\.service/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/usr\.mount/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/rsyslog\.service/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/systemd-modules-load\.service/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/tmp\.mount/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/firewalld\.service/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/boot-efi\.mount/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/systemd-udev-settle\.service/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/sys-kernel-tracing\.mount/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/systemd-tmpfiles-setup-dev\.service/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/cloud-config\.service/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/sys-kernel-debug-tracing\.mount/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/var\.mount/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/sssd\.service/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/systemd-journald\.socket/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/kmod-static-nodes\.service/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/proc-sys-fs-binfmt_misc\.mount/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/hypervkvpd\.service/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/sssd-kcm\.socket/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/rhsmcertd\.service/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/iscsiuio\.socket/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/mcelog\.service/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/systemd-resolved\.service/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/system-lvm2\\x2dpvscan\.slice/lvm2-pvscan@8:2\.service/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/system-lvm2\\x2dpvscan\.slice/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/cloud-init\.service/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/multipathd\.socket/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/nis-domainname\.service/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/dev-hugepages\.mount/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/dbus\.service/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/system-getty\.slice/getty@tty1\.service/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/dracut-shutdown\.service/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/NetworkManager-wait-online\.service/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/system-getty\.slice/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/systemd-user-sessions\.service/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/azure\.slice/waagent\.service/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/dm-event\.socket/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/smartd\.service/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/system\.slice/systemd-logind\.service/cgroup\.event_control
^[^#]*/sys/fs/cgroup/memory/azure\.slice/cgroup\.event_control
/sys/fs/selinux/validatetrans
/proc/sys/kernel/ns_last_pid
/proc/2/task/2/attr/current
/proc/1/task/1/attr/current
/proc/1/task/1/attr/keycreate
/proc/1/attr/current
/proc/1/attr/fscreate
/proc/2/attr/exec
/proc/1/task/1/attr/sockcreate
/proc/1/attr/keycreate
/proc/1/task/1/attr/exec
/proc/1/task/1/attr/fscreate
/proc/1/attr/exec
/proc/1/timerslack_ns
/proc/1/attr/sockcreate
/proc/2/task/2/attr/keycreate
/proc/2/task/2/attr/sockcreate
/proc/2/attr/current
/proc/2/attr/keycreate
/proc/2/timerslack_ns
/proc/2/attr/sockcreate
/proc/3/attr/fscreate
/proc/2/task/2/attr/exec
/proc/2/task/2/attr/fscreate
/proc/2/attr/fscreate
/proc/3/task/3/attr/exec
/proc/3/task/3/attr/keycreate
/proc/3/task/3/attr/sockcreate
/proc/3/attr/current
/proc/3/attr/exec
/proc/4/attr/fscreate
/proc/3/timerslack_ns
/proc/3/attr/sockcreate
/proc/4/task/4/attr/current
/proc/3/task/3/attr/current
/proc/3/task/3/attr/fscreate
/proc/3/attr/keycreate
/proc/4/task/4/attr/keycreate
/proc/4/task/4/attr/sockcreate
/proc/4/attr/exec
/proc/4/attr/current
/proc/4/timerslack_ns
/proc/4/attr/sockcreate
/proc/6/task/6/attr/current
/proc/6/attr/fscreate
/proc/4/task/4/attr/exec
/proc/4/task/4/attr/fscreate
/proc/4/attr/keycreate
/proc/6/task/6/attr/fscreate
/proc/6/task/6/attr/exec
/proc/6/task/6/attr/keycreate
/proc/6/task/6/attr/sockcreate
/proc/6/attr/current
/proc/6/attr/exec
/proc/6/timerslack_ns
/proc/6/attr/sockcreate
/proc/9/attr/fscreate
/proc/6/attr/keycreate
/proc/9/attr/exec
/proc/9/task/9/attr/current
/proc/9/task/9/attr/keycreate
/proc/9/task/9/attr/sockcreate
/proc/9/attr/current
/proc/9/timerslack_ns
/proc/9/attr/sockcreate
/proc/10/attr/keycreate
/proc/9/task/9/attr/exec
/proc/9/task/9/attr/fscreate
/proc/9/attr/keycreate
/proc/10/attr/exec
/proc/10/task/10/attr/current
/proc/10/attr/current
/proc/10/task/10/attr/sockcreate
/proc/10/attr/fscreate
/proc/10/timerslack_ns
/proc/10/attr/sockcreate
/proc/11/attr/fscreate
/proc/11/timerslack_ns
/proc/10/task/10/attr/exec
/proc/10/task/10/attr/fscreate
/proc/10/task/10/attr/keycreate
/proc/11/task/11/attr/current
/proc/11/task/11/attr/keycreate
/proc/11/task/11/attr/sockcreate
/proc/11/attr/exec
/proc/11/task/11/attr/fscreate
/proc/11/attr/current
/proc/12/attr/keycreate
/proc/11/attr/sockcreate
/proc/11/task/11/attr/exec
/proc/11/attr/keycreate
/proc/12/attr/fscreate
/proc/12/task/12/attr/current
/proc/12/task/12/attr/keycreate
/proc/12/task/12/attr/sockcreate
/proc/12/attr/exec
/proc/12/attr/current
/proc/13/attr/exec
/proc/12/task/12/attr/exec
/proc/12/task/12/attr/fscreate
/proc/12/timerslack_ns
/proc/12/attr/sockcreate
/proc/13/task/13/attr/current
/proc/13/task/13/attr/keycreate
/proc/13/attr/current
/proc/13/task/13/attr/sockcreate
/proc/13/attr/fscreate
/proc/13/timerslack_ns
/proc/13/attr/sockcreate
/proc/14/timerslack_ns
/proc/14/attr/current
/proc/13/task/13/attr/fscreate
/proc/13/task/13/attr/exec
/proc/13/attr/keycreate
/proc/14/task/14/attr/current
/proc/14/task/14/attr/keycreate
/proc/14/task/14/attr/sockcreate
/proc/14/attr/fscreate
/proc/14/attr/exec
/proc/14/attr/sockcreate
/proc/15/attr/fscreate
/proc/15/attr/exec
/proc/14/task/14/attr/fscreate
/proc/14/task/14/attr/exec
/proc/14/attr/keycreate
/proc/15/task/15/attr/current
/proc/15/task/15/attr/keycreate
/proc/15/task/15/attr/sockcreate
/proc/15/attr/current
/proc/15/timerslack_ns
/proc/15/attr/sockcreate
/proc/15/task/15/attr/fscreate
/proc/15/task/15/attr/exec
/proc/15/attr/keycreate
/proc/16/task/16/attr/current
/proc/16/task/16/attr/keycreate
/proc/16/task/16/attr/sockcreate
/proc/16/attr/fscreate
/proc/16/attr/keycreate
/proc/16/timerslack_ns
/proc/16/attr/sockcreate
/proc/16/attr/exec
/proc/16/attr/current
/proc/17/attr/fscreate
/proc/16/task/16/attr/fscreate
/proc/16/task/16/attr/exec
/proc/17/attr/current
/proc/17/task/17/attr/current
/proc/17/task/17/attr/keycreate
/proc/17/task/17/attr/sockcreate
/proc/17/attr/exec
/proc/17/timerslack_ns
/proc/17/attr/sockcreate
/proc/18/attr/keycreate
/proc/17/task/17/attr/fscreate
/proc/17/task/17/attr/exec
/proc/17/attr/keycreate
/proc/18/task/18/attr/keycreate
/proc/18/task/18/attr/sockcreate
/proc/18/attr/current
/proc/18/task/18/attr/current
/proc/18/attr/fscreate
/proc/18/attr/exec
/proc/20/attr/exec
/proc/18/task/18/attr/exec
/proc/18/task/18/attr/fscreate
/proc/18/timerslack_ns
/proc/18/attr/sockcreate
/proc/20/attr/fscreate
/proc/20/task/20/attr/fscreate
/proc/20/task/20/attr/keycreate
/proc/20/task/20/attr/sockcreate
/proc/20/attr/current
/proc/20/task/20/attr/current
/proc/23/attr/keycreate
/proc/20/timerslack_ns
/proc/20/attr/sockcreate
/proc/20/task/20/attr/exec
/proc/20/attr/keycreate
/proc/23/task/23/attr/current
/proc/23/task/23/attr/keycreate
/proc/23/task/23/attr/sockcreate
/proc/23/attr/exec
/proc/23/attr/current
/proc/23/attr/fscreate
/proc/23/task/23/attr/fscreate
/proc/23/task/23/attr/exec
/proc/23/timerslack_ns
/proc/23/attr/sockcreate
/proc/24/task/24/attr/keycreate
/proc/24/attr/current
/proc/24/task/24/attr/sockcreate
/proc/24/task/24/attr/current
/proc/24/attr/exec
/proc/24/attr/fscreate
/proc/24/attr/sockcreate
/proc/24/timerslack_ns
/proc/25/attr/fscreate
/proc/25/timerslack_ns
/proc/24/task/24/attr/exec
/proc/24/task/24/attr/fscreate
/proc/24/attr/keycreate
/proc/25/attr/exec
/proc/25/task/25/attr/current
/proc/25/task/25/attr/fscreate
/proc/25/task/25/attr/keycreate
/proc/25/task/25/attr/sockcreate
/proc/25/attr/current
/proc/25/attr/sockcreate
/proc/27/timerslack_ns
/proc/27/attr/current
/proc/25/task/25/attr/exec
/proc/25/attr/keycreate
/proc/27/task/27/attr/current
/proc/27/task/27/attr/sockcreate
/proc/27/attr/exec
/proc/27/attr/fscreate
/proc/27/task/27/attr/fscreate
/proc/27/attr/sockcreate
/proc/28/attr/fscreate
/proc/28/timerslack_ns
/proc/27/task/27/attr/exec
/proc/27/task/27/attr/keycreate
/proc/27/attr/keycreate
/proc/28/task/28/attr/fscreate
/proc/28/task/28/attr/keycreate
/proc/28/task/28/attr/sockcreate
/proc/28/attr/current
/proc/28/attr/exec
/proc/28/task/28/attr/current
/proc/28/attr/sockcreate
/proc/29/attr/keycreate
/proc/29/timerslack_ns
/proc/28/task/28/attr/exec
/proc/28/attr/keycreate
/proc/29/task/29/attr/current
/proc/29/task/29/attr/keycreate
/proc/29/task/29/attr/sockcreate
/proc/29/attr/current
/proc/29/attr/exec
/proc/29/attr/fscreate
/proc/30/attr/keycreate
/proc/29/task/29/attr/fscreate
/proc/29/task/29/attr/exec
/proc/29/attr/sockcreate
/proc/30/task/30/attr/keycreate
/proc/30/task/30/attr/sockcreate
/proc/30/attr/exec
/proc/30/task/30/attr/current
/proc/30/attr/current
/proc/30/attr/fscreate
/proc/30/task/30/attr/exec
/proc/30/task/30/attr/fscreate
/proc/30/timerslack_ns
/proc/30/attr/sockcreate
/proc/31/attr/fscreate
/proc/31/task/31/attr/current
/proc/31/task/31/attr/keycreate
/proc/31/task/31/attr/sockcreate
/proc/31/attr/exec
/proc/31/attr/current
/proc/31/timerslack_ns
/proc/31/attr/sockcreate
/proc/32/attr/keycreate
/proc/32/timerslack_ns
/proc/31/task/31/attr/fscreate
/proc/31/task/31/attr/exec
/proc/31/attr/keycreate
/proc/32/attr/fscreate
/proc/32/task/32/attr/fscreate
/proc/32/attr/current
/proc/32/task/32/attr/sockcreate
/proc/32/task/32/attr/current
/proc/32/attr/exec
/proc/33/timerslack_ns
/proc/33/attr/exec
/proc/32/task/32/attr/exec
/proc/32/task/32/attr/keycreate
/proc/32/attr/sockcreate
/proc/33/attr/fscreate
/proc/33/task/33/attr/current
/proc/33/task/33/attr/keycreate
/proc/33/task/33/attr/sockcreate
/proc/33/attr/current
/proc/34/attr/keycreate
/proc/33/attr/sockcreate
/proc/34/task/34/attr/current
/proc/34/attr/exec
/proc/33/task/33/attr/fscreate
/proc/33/task/33/attr/exec
/proc/33/attr/keycreate
/proc/34/task/34/attr/keycreate
/proc/34/task/34/attr/sockcreate
/proc/34/attr/fscreate
/proc/35/attr/keycreate
/proc/35/timerslack_ns
/proc/34/task/34/attr/fscreate
/proc/34/task/34/attr/exec
/proc/34/attr/current
/proc/34/timerslack_ns
/proc/34/attr/sockcreate
/proc/35/task/35/attr/fscreate
/proc/35/task/35/attr/keycreate
/proc/35/task/35/attr/sockcreate
/proc/35/attr/current
/proc/35/task/35/attr/current
/proc/35/attr/exec
/proc/35/attr/fscreate
/proc/36/attr/keycreate
/proc/35/attr/sockcreate
/proc/36/attr/current
/proc/35/task/35/attr/exec
/proc/36/attr/fscreate
/proc/36/task/36/attr/current
/proc/36/task/36/attr/keycreate
/proc/36/task/36/attr/sockcreate
/proc/36/attr/exec
/proc/37/attr/fscreate
/proc/37/timerslack_ns
/proc/37/attr/exec
/proc/36/task/36/attr/fscreate
/proc/36/task/36/attr/exec
/proc/36/timerslack_ns
/proc/36/attr/sockcreate
/proc/37/task/37/attr/fscreate
/proc/37/task/37/attr/keycreate
/proc/37/task/37/attr/sockcreate
/proc/37/task/37/attr/current
/proc/37/attr/current
/proc/37/attr/sockcreate
/proc/38/timerslack_ns
/proc/37/task/37/attr/exec
/proc/37/attr/keycreate
/proc/38/attr/exec
/proc/38/task/38/attr/current
/proc/38/task/38/attr/keycreate
/proc/38/attr/current
/proc/38/task/38/attr/sockcreate
/proc/38/attr/fscreate
/proc/38/attr/sockcreate
/proc/39/attr/fscreate
/proc/38/task/38/attr/fscreate
/proc/38/task/38/attr/exec
/proc/38/attr/keycreate
/proc/39/task/39/attr/current
/proc/39/task/39/attr/keycreate
/proc/39/task/39/attr/sockcreate
/proc/39/attr/exec
/proc/39/attr/current
/proc/41/attr/exec
/proc/39/timerslack_ns
/proc/39/attr/sockcreate
/proc/40/attr/fscreate
/proc/40/timerslack_ns
/proc/39/task/39/attr/fscreate
/proc/39/task/39/attr/exec
/proc/39/attr/keycreate
/proc/40/task/40/attr/current
/proc/40/task/40/attr/keycreate
/proc/40/attr/current
/proc/40/task/40/attr/sockcreate
/proc/40/attr/exec
/proc/40/attr/sockcreate
/proc/40/task/40/attr/fscreate
/proc/40/task/40/attr/exec
/proc/40/attr/keycreate
/proc/41/task/41/attr/current
/proc/41/task/41/attr/keycreate
/proc/41/attr/current
/proc/41/task/41/attr/sockcreate
/proc/41/attr/fscreate
/proc/62/attr/exec
/proc/41/task/41/attr/fscreate
/proc/41/task/41/attr/exec
/proc/41/attr/keycreate
/proc/41/timerslack_ns
/proc/41/attr/sockcreate
/proc/62/attr/fscreate
/proc/62/task/62/attr/fscreate
/proc/62/task/62/attr/keycreate
/proc/62/task/62/attr/sockcreate
/proc/62/attr/current
/proc/62/task/62/attr/current
/proc/62/timerslack_ns
/proc/62/attr/sockcreate
/proc/155/task/155/attr/current
/proc/62/task/62/attr/exec
/proc/62/attr/keycreate
/proc/155/attr/fscreate
/proc/155/task/155/attr/keycreate
/proc/155/task/155/attr/sockcreate
/proc/155/attr/current
/proc/155/attr/exec
/proc/155/timerslack_ns
/proc/155/attr/sockcreate
/proc/155/task/155/attr/fscreate
/proc/155/task/155/attr/exec
/proc/155/attr/keycreate
/proc/156/task/156/attr/current
/proc/156/task/156/attr/keycreate
/proc/156/task/156/attr/sockcreate
/proc/156/attr/current
/proc/156/attr/exec
/proc/156/attr/fscreate
/proc/156/attr/sockcreate
/proc/156/timerslack_ns
/proc/157/task/157/attr/current
/proc/156/task/156/attr/exec
/proc/156/task/156/attr/fscreate
/proc/156/attr/keycreate
/proc/157/task/157/attr/fscreate
/proc/157/task/157/attr/keycreate
/proc/157/task/157/attr/sockcreate
/proc/157/attr/exec
/proc/157/attr/fscreate
/proc/157/attr/current
/proc/157/attr/sockcreate
/proc/157/timerslack_ns
/proc/158/attr/keycreate
/proc/157/task/157/attr/exec
/proc/157/attr/keycreate
/proc/158/attr/fscreate
/proc/158/task/158/attr/current
/proc/158/task/158/attr/keycreate
/proc/158/task/158/attr/sockcreate
/proc/158/attr/exec
/proc/158/attr/current
/proc/158/timerslack_ns
/proc/159/task/159/attr/current
/proc/159/attr/fscreate
/proc/158/task/158/attr/exec
/proc/158/task/158/attr/fscreate
/proc/158/attr/sockcreate
/proc/159/attr/exec
/proc/159/task/159/attr/keycreate
/proc/159/task/159/attr/sockcreate
/proc/159/attr/current
/proc/159/attr/sockcreate
/proc/159/timerslack_ns
/proc/160/task/160/attr/current
/proc/159/task/159/attr/fscreate
/proc/159/task/159/attr/exec
/proc/159/attr/keycreate
/proc/160/attr/exec
/proc/160/task/160/attr/keycreate
/proc/160/task/160/attr/sockcreate
/proc/160/attr/fscreate
/proc/160/attr/current
/proc/160/attr/sockcreate
/proc/160/timerslack_ns
/proc/239/task/239/attr/current
/proc/239/attr/fscreate
/proc/160/task/160/attr/fscreate
/proc/160/task/160/attr/exec
/proc/160/attr/keycreate
/proc/239/task/239/attr/keycreate
/proc/239/task/239/attr/sockcreate
/proc/239/attr/current
/proc/239/attr/exec
/proc/239/timerslack_ns
/proc/433/attr/keycreate
/proc/239/attr/sockcreate
/proc/433/task/433/attr/current
/proc/239/task/239/attr/exec
/proc/239/task/239/attr/fscreate
/proc/239/attr/keycreate
/proc/433/attr/fscreate
/proc/433/task/433/attr/fscreate
/proc/433/task/433/attr/keycreate
/proc/433/attr/current
/proc/433/task/433/attr/sockcreate
/proc/433/attr/exec
/proc/433/attr/sockcreate
/proc/433/timerslack_ns
/proc/435/task/435/attr/current
/proc/435/attr/keycreate
/proc/435/attr/exec
/proc/433/task/433/attr/exec
/proc/435/task/435/attr/keycreate
/proc/435/task/435/attr/sockcreate
/proc/435/attr/fscreate
/proc/435/timerslack_ns
/proc/435/attr/current
/proc/437/task/437/attr/current
/proc/435/task/435/attr/fscreate
/proc/435/task/435/attr/exec
/proc/435/attr/sockcreate
/proc/444/task/444/attr/current
/proc/437/task/437/attr/keycreate
/proc/437/task/437/attr/sockcreate
/proc/437/attr/exec
/proc/437/attr/fscreate
/proc/437/attr/current
/proc/437/attr/sockcreate
/proc/437/timerslack_ns
/proc/441/attr/fscreate
/proc/441/attr/current
/proc/437/task/437/attr/fscreate
/proc/437/task/437/attr/exec
/proc/437/attr/keycreate
/proc/441/attr/exec
/proc/441/task/441/attr/keycreate
/proc/441/task/441/attr/sockcreate
/proc/441/task/441/attr/fscreate
/proc/441/task/441/attr/current
/proc/441/attr/sockcreate
/proc/441/timerslack_ns
/proc/444/attr/exec
/proc/444/attr/fscreate
/proc/441/task/441/attr/exec
/proc/441/attr/keycreate
/proc/444/task/444/attr/fscreate
/proc/444/task/444/attr/keycreate
/proc/444/task/444/attr/sockcreate
/proc/444/attr/current
/proc/444/timerslack_ns
/proc/444/attr/sockcreate
/proc/445/task/445/attr/current
/proc/444/task/444/attr/exec
/proc/444/attr/keycreate
/proc/445/task/445/attr/keycreate
/proc/445/task/445/attr/sockcreate
/proc/445/attr/exec
/proc/445/attr/fscreate
/proc/445/attr/current
/proc/445/attr/sockcreate
/proc/445/timerslack_ns
/proc/447/task/447/attr/current
/proc/447/attr/keycreate
/proc/445/task/445/attr/fscreate
/proc/445/task/445/attr/exec
/proc/445/attr/keycreate
/proc/447/task/447/attr/keycreate
/proc/447/task/447/attr/sockcreate
/proc/447/attr/current
/proc/447/timerslack_ns
/proc/447/attr/fscreate
/proc/447/attr/exec
/proc/447/task/447/attr/fscreate
/proc/447/task/447/attr/exec
/proc/447/attr/sockcreate
/proc/448/task/448/attr/fscreate
/proc/448/task/448/attr/keycreate
/proc/448/task/448/attr/sockcreate
/proc/448/attr/current
/proc/448/attr/fscreate
/proc/448/task/448/attr/current
/proc/448/attr/exec
/proc/448/attr/keycreate
/proc/448/timerslack_ns
/proc/449/task/449/attr/current
/proc/449/attr/keycreate
/proc/448/task/448/attr/exec
/proc/448/attr/sockcreate
/proc/449/attr/current
/proc/449/task/449/attr/fscreate
/proc/449/task/449/attr/keycreate
/proc/449/task/449/attr/sockcreate
/proc/449/attr/fscreate
/proc/449/attr/exec
/proc/449/timerslack_ns
/proc/519/task/519/attr/current
/proc/519/attr/keycreate
/proc/449/task/449/attr/exec
/proc/449/attr/sockcreate
/proc/519/task/519/attr/keycreate
/proc/519/task/519/attr/sockcreate
/proc/519/attr/exec
/proc/519/attr/fscreate
/proc/519/timerslack_ns
/proc/522/attr/keycreate
/proc/519/attr/current
/proc/519/attr/sockcreate
/proc/522/attr/exec
/proc/519/task/519/attr/fscreate
/proc/519/task/519/attr/exec
/proc/522/task/522/attr/current
/proc/522/task/522/attr/keycreate
/proc/522/attr/current
/proc/522/task/522/attr/sockcreate
/proc/522/attr/fscreate
/proc/522/attr/sockcreate
/proc/522/timerslack_ns
/proc/525/attr/fscreate
/proc/522/task/522/attr/fscreate
/proc/522/task/522/attr/exec
/proc/525/task/525/attr/current
/proc/525/task/525/attr/keycreate
/proc/525/task/525/attr/sockcreate
/proc/525/attr/exec
/proc/525/attr/current
/proc/525/attr/sockcreate
/proc/525/timerslack_ns
/proc/528/attr/keycreate
/proc/525/task/525/attr/exec
/proc/525/task/525/attr/fscreate
/proc/525/attr/keycreate
/proc/528/task/528/attr/current
/proc/528/task/528/attr/keycreate
/proc/528/task/528/attr/sockcreate
/proc/528/attr/exec
/proc/528/attr/fscreate
/proc/528/timerslack_ns
/proc/534/task/534/attr/current
/proc/528/attr/current
/proc/528/attr/sockcreate
/proc/528/task/528/attr/fscreate
/proc/528/task/528/attr/exec
/proc/534/attr/current
/proc/534/attr/exec
/proc/534/task/534/attr/keycreate
/proc/534/task/534/attr/sockcreate
/proc/534/attr/fscreate
/proc/534/attr/sockcreate
/proc/534/timerslack_ns
/proc/534/task/534/attr/fscreate
/proc/534/task/534/attr/exec
/proc/534/attr/keycreate
/proc/562/attr/exec
/proc/562/attr/fscreate
/proc/562/task/562/attr/keycreate
/proc/562/task/562/attr/sockcreate
/proc/562/attr/current
/proc/562/task/562/attr/current
/proc/562/attr/sockcreate
/proc/562/timerslack_ns
/proc/563/task/563/attr/current
/proc/563/attr/fscreate
/proc/562/task/562/attr/exec
/proc/562/task/562/attr/fscreate
/proc/562/attr/keycreate
/proc/563/attr/current
/proc/563/attr/exec
/proc/563/task/563/attr/keycreate
/proc/563/task/563/attr/sockcreate
/proc/563/attr/sockcreate
/proc/563/timerslack_ns
/proc/564/attr/keycreate
/proc/563/task/563/attr/fscreate
/proc/563/task/563/attr/exec
/proc/563/attr/keycreate
/proc/564/task/564/attr/keycreate
/proc/564/task/564/attr/sockcreate
/proc/564/attr/current
/proc/564/attr/fscreate
/proc/564/attr/exec
/proc/564/timerslack_ns
/proc/565/task/565/attr/current
/proc/565/attr/keycreate
/proc/564/task/564/attr/current
/proc/564/task/564/attr/fscreate
/proc/564/task/564/attr/exec
/proc/564/attr/sockcreate
/proc/565/task/565/attr/keycreate
/proc/565/task/565/attr/sockcreate
/proc/565/attr/exec
/proc/565/attr/fscreate
/proc/565/timerslack_ns
/proc/566/task/566/attr/current
/proc/566/attr/keycreate
/proc/565/attr/current
/proc/565/task/565/attr/fscreate
/proc/565/task/565/attr/exec
/proc/565/attr/sockcreate
/proc/566/attr/fscreate
/proc/566/task/566/attr/keycreate
/proc/566/task/566/attr/sockcreate
/proc/566/attr/current
/proc/566/attr/exec
/proc/566/timerslack_ns
/proc/567/attr/keycreate
/proc/567/task/567/attr/current
/proc/567/attr/exec
/proc/566/task/566/attr/fscreate
/proc/566/task/566/attr/exec
/proc/566/attr/sockcreate
/proc/567/attr/fscreate
/proc/567/task/567/attr/keycreate
/proc/567/task/567/attr/sockcreate
/proc/567/attr/current
/proc/567/timerslack_ns
/proc/568/task/568/attr/current
/proc/568/attr/fscreate
/proc/567/task/567/attr/fscreate
/proc/567/task/567/attr/exec
/proc/567/attr/sockcreate
/proc/568/task/568/attr/keycreate
/proc/568/task/568/attr/sockcreate
/proc/568/attr/current
/proc/568/attr/exec
/proc/568/attr/sockcreate
/proc/568/timerslack_ns
/proc/569/attr/keycreate
/proc/568/task/568/attr/fscreate
/proc/568/task/568/attr/exec
/proc/568/attr/keycreate
/proc/569/task/569/attr/fscreate
/proc/569/task/569/attr/keycreate
/proc/569/task/569/attr/sockcreate
/proc/569/attr/exec
/proc/569/attr/current
/proc/569/attr/fscreate
/proc/569/timerslack_ns
/proc/570/task/570/attr/current
/proc/570/attr/fscreate
/proc/569/task/569/attr/current
/proc/569/task/569/attr/exec
/proc/569/attr/sockcreate
/proc/570/task/570/attr/keycreate
/proc/570/task/570/attr/sockcreate
/proc/570/attr/current
/proc/570/attr/exec
/proc/570/attr/sockcreate
/proc/570/timerslack_ns
/proc/604/attr/exec
/proc/604/attr/fscreate
/proc/570/task/570/attr/fscreate
/proc/570/task/570/attr/exec
/proc/570/attr/keycreate
/proc/604/task/604/attr/current
/proc/604/task/604/attr/keycreate
/proc/604/task/604/attr/sockcreate
/proc/604/attr/current
/proc/604/attr/sockcreate
/proc/604/timerslack_ns
/proc/605/task/605/attr/current
/proc/605/attr/fscreate
/proc/604/task/604/attr/fscreate
/proc/604/task/604/attr/exec
/proc/604/attr/keycreate
/proc/605/attr/exec
/proc/608/attr/exec
/proc/605/task/605/attr/keycreate
/proc/605/task/605/attr/sockcreate
/proc/605/attr/current
/proc/605/attr/sockcreate
/proc/605/timerslack_ns
/proc/606/task/606/attr/current
/proc/606/attr/keycreate
/proc/605/task/605/attr/fscreate
/proc/605/task/605/attr/exec
/proc/605/attr/keycreate
/proc/606/task/606/attr/keycreate
/proc/606/task/606/attr/sockcreate
/proc/606/attr/exec
/proc/606/attr/current
/proc/606/attr/fscreate
/proc/606/attr/sockcreate
/proc/606/timerslack_ns
/proc/606/task/606/attr/fscreate
/proc/606/task/606/attr/exec
/proc/608/attr/fscreate
/proc/608/task/608/attr/fscreate
/proc/608/task/608/attr/keycreate
/proc/608/task/608/attr/sockcreate
/proc/608/task/608/attr/current
/proc/608/attr/current
/proc/608/timerslack_ns
/proc/609/task/609/attr/current
/proc/609/attr/fscreate
/proc/608/task/608/attr/exec
/proc/608/attr/keycreate
/proc/608/attr/sockcreate
/proc/609/task/609/attr/keycreate
/proc/609/task/609/attr/sockcreate
/proc/609/attr/current
/proc/705/attr/exec
/proc/609/attr/exec
/proc/609/attr/sockcreate
/proc/609/timerslack_ns
/proc/610/task/610/attr/current
/proc/610/attr/keycreate
/proc/609/task/609/attr/fscreate
/proc/609/task/609/attr/exec
/proc/609/attr/keycreate
/proc/610/task/610/attr/keycreate
/proc/610/task/610/attr/sockcreate
/proc/610/attr/current
/proc/610/task/610/attr/fscreate
/proc/610/attr/exec
/proc/610/attr/fscreate
/proc/610/timerslack_ns
/proc/611/attr/keycreate
/proc/610/task/610/attr/exec
/proc/610/attr/sockcreate
/proc/611/attr/fscreate
/proc/611/task/611/attr/keycreate
/proc/611/attr/current
/proc/611/task/611/attr/sockcreate
/proc/611/task/611/attr/current
/proc/611/attr/exec
/proc/611/attr/sockcreate
/proc/611/timerslack_ns
/proc/678/attr/exec
/proc/678/attr/fscreate
/proc/611/task/611/attr/fscreate
/proc/611/task/611/attr/exec
/proc/678/task/678/attr/exec
/proc/678/task/678/attr/fscreate
/proc/678/task/678/attr/current
/proc/678/attr/current
/proc/678/timerslack_ns
/proc/678/attr/sockcreate
/proc/678/task/678/attr/keycreate
/proc/678/task/678/attr/sockcreate
/proc/678/attr/keycreate
/proc/705/attr/current
/proc/705/task/705/attr/keycreate
/proc/705/task/705/attr/sockcreate
/proc/705/attr/fscreate
/proc/705/attr/sockcreate
/proc/705/timerslack_ns
/proc/740/attr/keycreate
/proc/748/task/748/attr/current
/proc/740/task/740/attr/current
/proc/705/task/705/attr/fscreate
/proc/705/task/705/attr/exec
/proc/705/attr/keycreate
/proc/705/task/705/attr/current
/proc/740/task/740/attr/keycreate
/proc/740/task/740/attr/sockcreate
/proc/740/attr/exec
/proc/740/attr/fscreate
/proc/740/timerslack_ns
/proc/748/attr/fscreate
/proc/740/task/740/attr/fscreate
/proc/740/task/740/attr/exec
/proc/740/attr/current
/proc/740/attr/sockcreate
/proc/748/task/748/attr/keycreate
/proc/748/task/748/attr/sockcreate
/proc/748/attr/exec
/proc/748/attr/sockcreate
/proc/748/timerslack_ns
/proc/820/task/820/attr/current
/proc/820/attr/fscreate
/proc/748/attr/current
/proc/748/task/748/attr/fscreate
/proc/748/task/748/attr/exec
/proc/748/attr/keycreate
/proc/820/task/820/attr/keycreate
/proc/820/task/820/attr/sockcreate
/proc/820/attr/current
/proc/820/attr/keycreate
/proc/820/timerslack_ns
/proc/820/attr/exec
/proc/820/task/820/attr/fscreate
/proc/820/task/820/attr/exec
/proc/820/attr/sockcreate
/proc/821/task/821/attr/sockcreate
/proc/821/task/821/attr/current
/proc/821/attr/fscreate
/proc/821/attr/exec
/proc/821/timerslack_ns
/proc/822/attr/keycreate
/proc/821/attr/sockcreate
/proc/821/attr/current
/proc/821/task/821/attr/exec
/proc/821/task/821/attr/fscreate
/proc/821/task/821/attr/keycreate
/proc/821/attr/keycreate
/proc/822/task/822/attr/current
/proc/822/task/822/attr/keycreate
/proc/822/task/822/attr/sockcreate
/proc/822/attr/current
/proc/822/attr/exec
/proc/822/attr/sockcreate
/proc/822/attr/fscreate
/proc/822/timerslack_ns
/proc/823/task/823/attr/current
/proc/823/attr/fscreate
/proc/822/task/822/attr/fscreate
/proc/822/task/822/attr/exec
/proc/823/task/823/attr/keycreate
/proc/823/attr/current
/proc/823/task/823/attr/sockcreate
/proc/823/attr/exec
/proc/823/attr/sockcreate
/proc/823/timerslack_ns
/proc/824/attr/fscreate
/proc/825/attr/exec
/proc/823/task/823/attr/fscreate
/proc/823/task/823/attr/exec
/proc/823/attr/keycreate
/proc/824/task/824/attr/sockcreate
/proc/824/attr/current
/proc/824/task/824/attr/fscreate
/proc/824/attr/exec
/proc/824/attr/sockcreate
/proc/824/timerslack_ns
/proc/825/task/825/attr/current
/proc/825/attr/keycreate
/proc/826/attr/current
/proc/824/task/824/attr/current
/proc/824/task/824/attr/exec
/proc/824/task/824/attr/keycreate
/proc/825/attr/current
/proc/824/attr/keycreate
/proc/825/task/825/attr/keycreate
/proc/825/task/825/attr/sockcreate
/proc/825/attr/fscreate
/proc/825/timerslack_ns
/proc/826/attr/fscreate
/proc/826/task/826/attr/current
/proc/825/task/825/attr/fscreate
/proc/825/task/825/attr/exec
/proc/825/attr/sockcreate
/proc/826/task/826/attr/keycreate
/proc/826/task/826/attr/sockcreate
/proc/826/attr/exec
/proc/826/attr/sockcreate
/proc/826/timerslack_ns
/proc/828/task/828/attr/current
/proc/828/attr/fscreate
/proc/826/task/826/attr/fscreate
/proc/826/task/826/attr/exec
/proc/826/attr/keycreate
/proc/828/task/828/attr/keycreate
/proc/828/task/828/attr/sockcreate
/proc/828/attr/exec
/proc/829/task/829/attr/current
/proc/828/timerslack_ns
/proc/828/attr/keycreate
/proc/828/attr/current
/proc/830/attr/current
/proc/828/task/828/attr/fscreate
/proc/828/task/828/attr/exec
/proc/829/attr/exec
/proc/828/attr/sockcreate
/proc/829/task/829/attr/keycreate
/proc/829/task/829/attr/sockcreate
/proc/829/attr/current
/proc/829/attr/fscreate
/proc/829/attr/sockcreate
/proc/829/timerslack_ns
/proc/830/attr/fscreate
/proc/829/task/829/attr/fscreate
/proc/829/task/829/attr/exec
/proc/829/attr/keycreate
/proc/830/task/830/attr/keycreate
/proc/830/task/830/attr/sockcreate
/proc/830/task/830/attr/current
/proc/830/attr/keycreate
/proc/830/timerslack_ns
/proc/831/task/831/attr/current
/proc/831/attr/fscreate
/proc/830/attr/exec
/proc/832/attr/exec
/proc/830/task/830/attr/exec
/proc/830/task/830/attr/fscreate
/proc/830/attr/sockcreate
/proc/831/task/831/attr/keycreate
/proc/831/task/831/attr/sockcreate
/proc/832/attr/current
/proc/831/attr/current
/proc/831/attr/keycreate
/proc/831/timerslack_ns
/proc/832/task/832/attr/current
/proc/832/attr/keycreate
/proc/831/attr/exec
/proc/834/attr/exec
/proc/831/task/831/attr/fscreate
/proc/831/task/831/attr/exec
/proc/831/attr/sockcreate
/proc/832/task/832/attr/keycreate
/proc/832/task/832/attr/sockcreate
/proc/832/attr/fscreate
/proc/832/timerslack_ns
/proc/834/attr/fscreate
/proc/834/task/834/attr/current
/proc/832/task/832/attr/fscreate
/proc/832/task/832/attr/exec
/proc/832/attr/sockcreate
/proc/834/task/834/attr/keycreate
/proc/834/attr/current
/proc/834/task/834/attr/sockcreate
/proc/834/attr/sockcreate
/proc/834/timerslack_ns
/proc/836/task/836/attr/current
/proc/836/attr/fscreate
/proc/834/task/834/attr/fscreate
/proc/834/task/834/attr/exec
/proc/834/attr/keycreate
/proc/836/task/836/attr/keycreate
/proc/836/task/836/attr/sockcreate
/proc/836/attr/current
/proc/836/attr/exec
/proc/836/attr/sockcreate
/proc/836/timerslack_ns
/proc/837/task/837/attr/current
/proc/837/attr/fscreate
/proc/837/attr/current
/proc/836/task/836/attr/fscreate
/proc/836/task/836/attr/exec
/proc/836/attr/keycreate
/proc/837/task/837/attr/keycreate
/proc/837/task/837/attr/sockcreate
/proc/837/attr/exec
/proc/837/attr/sockcreate
/proc/837/timerslack_ns
/proc/839/attr/current
/proc/837/task/837/attr/fscreate
/proc/837/task/837/attr/exec
/proc/837/attr/keycreate
/proc/838/task/838/attr/keycreate
/proc/838/task/838/attr/sockcreate
/proc/838/attr/exec
/proc/838/attr/fscreate
/proc/838/attr/current
/proc/838/attr/keycreate
/proc/838/timerslack_ns
/proc/839/attr/keycreate
/proc/838/task/838/attr/current
/proc/838/task/838/attr/exec
/proc/838/task/838/attr/fscreate
/proc/838/attr/sockcreate
/proc/839/task/839/attr/keycreate
/proc/839/task/839/attr/sockcreate
/proc/839/task/839/attr/current
/proc/839/attr/exec
/proc/839/attr/fscreate
/proc/839/timerslack_ns
/proc/840/attr/fscreate
/proc/839/task/839/attr/fscreate
/proc/839/task/839/attr/exec
/proc/839/attr/sockcreate
/proc/840/task/840/attr/current
/proc/840/task/840/attr/sockcreate
/proc/840/attr/exec
/proc/841/task/841/attr/current
/proc/840/attr/current
/proc/840/attr/sockcreate
/proc/840/timerslack_ns
/proc/841/attr/exec
/proc/841/attr/fscreate
/proc/840/task/840/attr/exec
/proc/840/task/840/attr/fscreate
/proc/840/task/840/attr/keycreate
/proc/840/attr/keycreate
/proc/841/task/841/attr/fscreate
/proc/841/task/841/attr/keycreate
/proc/841/attr/current
/proc/841/task/841/attr/sockcreate
/proc/842/task/842/attr/current
/proc/841/timerslack_ns
/proc/841/task/841/attr/exec
/proc/841/attr/keycreate
/proc/841/attr/sockcreate
/proc/842/task/842/attr/fscreate
/proc/842/task/842/attr/keycreate
/proc/842/task/842/attr/sockcreate
/proc/842/attr/current
/proc/842/attr/fscreate
/proc/842/attr/exec
/proc/842/attr/sockcreate
/proc/843/task/843/attr/current
/proc/842/timerslack_ns
/proc/842/task/842/attr/exec
/proc/842/attr/keycreate
/proc/843/task/843/attr/keycreate
/proc/843/attr/current
/proc/843/task/843/attr/sockcreate
/proc/843/attr/exec
/proc/843/attr/fscreate
/proc/843/timerslack_ns
/proc/844/attr/fscreate
/proc/843/task/843/attr/fscreate
/proc/843/task/843/attr/exec
/proc/843/attr/keycreate
/proc/843/attr/sockcreate
/proc/844/attr/exec
/proc/844/task/844/attr/keycreate
/proc/844/attr/current
/proc/844/task/844/attr/sockcreate
/proc/844/task/844/attr/current
/proc/844/attr/sockcreate
/proc/844/timerslack_ns
/proc/845/attr/exec
/proc/845/attr/keycreate
/proc/844/task/844/attr/exec
/proc/844/task/844/attr/fscreate
/proc/844/attr/keycreate
/proc/845/task/845/attr/keycreate
/proc/845/task/845/attr/sockcreate
/proc/845/task/845/attr/current
/proc/845/attr/fscreate
/proc/845/timerslack_ns
/proc/846/task/846/attr/current
/proc/846/attr/keycreate
/proc/845/attr/current
/proc/845/task/845/attr/fscreate
/proc/845/task/845/attr/exec
/proc/845/attr/sockcreate
/proc/846/task/846/attr/keycreate
/proc/846/attr/current
/proc/846/task/846/attr/sockcreate
/proc/846/timerslack_ns
/proc/847/attr/fscreate
/proc/846/attr/fscreate
/proc/846/attr/exec
/proc/847/task/847/attr/current
/proc/847/attr/current
/proc/846/task/846/attr/fscreate
/proc/846/task/846/attr/exec
/proc/846/attr/sockcreate
/proc/847/attr/exec
/proc/847/task/847/attr/keycreate
/proc/847/task/847/attr/sockcreate
/proc/847/attr/sockcreate
/proc/847/timerslack_ns
/proc/848/task/848/attr/current
/proc/848/attr/fscreate
/proc/847/task/847/attr/fscreate
/proc/847/task/847/attr/exec
/proc/847/attr/keycreate
/proc/848/task/848/attr/keycreate
/proc/848/task/848/attr/sockcreate
/proc/848/attr/exec
/proc/848/attr/sockcreate
/proc/848/timerslack_ns
/proc/849/attr/keycreate
/proc/848/attr/current
/proc/849/attr/exec
/proc/848/task/848/attr/fscreate
/proc/848/task/848/attr/exec
/proc/848/attr/keycreate
/proc/849/task/849/attr/keycreate
/proc/849/task/849/attr/sockcreate
/proc/849/attr/fscreate
/proc/849/timerslack_ns
/proc/850/task/850/attr/current
/proc/849/attr/current
/proc/849/attr/sockcreate
/proc/849/task/849/attr/current
/proc/849/task/849/attr/fscreate
/proc/849/task/849/attr/exec
/proc/850/attr/current
/proc/850/attr/exec
/proc/850/task/850/attr/keycreate
/proc/850/task/850/attr/sockcreate
/proc/850/attr/fscreate
/proc/850/attr/sockcreate
/proc/850/timerslack_ns
/proc/894/task/894/attr/current
/proc/850/task/850/attr/fscreate
/proc/850/task/850/attr/exec
/proc/850/attr/keycreate
/proc/894/task/894/attr/keycreate
/proc/894/task/894/attr/sockcreate
/proc/894/attr/fscreate
/proc/894/attr/sockcreate
/proc/894/timerslack_ns
/proc/895/attr/keycreate
/proc/894/attr/current
/proc/894/task/894/attr/fscreate
/proc/894/task/894/attr/exec
/proc/894/attr/exec
/proc/894/attr/keycreate
/proc/895/task/895/attr/fscreate
/proc/895/task/895/attr/current
/proc/895/task/895/attr/keycreate
/proc/895/task/895/attr/sockcreate
/proc/895/task/896/attr/current
/proc/895/task/896/attr/fscreate
/proc/895/task/898/attr/exec
/proc/895/task/896/attr/keycreate
/proc/897/attr/keycreate
/proc/895/task/895/attr/exec
/proc/895/task/896/attr/exec
/proc/895/task/898/attr/fscreate
/proc/895/task/896/attr/sockcreate
/proc/895/task/898/attr/current
/proc/923/attr/exec
/proc/895/task/898/attr/keycreate
/proc/895/task/898/attr/sockcreate
/proc/895/attr/current
/proc/895/attr/fscreate
/proc/897/task/897/attr/current
/proc/895/timerslack_ns
/proc/895/attr/exec
/proc/895/attr/sockcreate
/proc/897/task/897/attr/fscreate
/proc/897/task/897/attr/sockcreate
/proc/897/attr/fscreate
/proc/897/attr/sockcreate
/proc/897/attr/current
/proc/897/attr/exec
/proc/920/attr/exec
/proc/920/task/920/attr/current
/proc/897/task/897/attr/exec
/proc/897/task/897/attr/keycreate
/proc/897/timerslack_ns
/proc/920/task/920/attr/keycreate
/proc/920/task/920/attr/sockcreate
/proc/920/attr/current
/proc/924/attr/exec
/proc/920/attr/fscreate
/proc/920/attr/keycreate
/proc/920/attr/sockcreate
/proc/923/task/923/attr/current
/proc/920/task/920/attr/fscreate
/proc/920/task/920/attr/exec
/proc/920/timerslack_ns
/proc/924/attr/current
/proc/451716/attr/exec
/proc/923/task/923/attr/fscreate
/proc/923/task/923/attr/sockcreate
/proc/923/attr/fscreate
/proc/923/attr/keycreate
/proc/923/attr/sockcreate
/proc/923/attr/current
/proc/923/task/923/attr/exec
/proc/923/task/923/attr/keycreate
/proc/923/timerslack_ns
/proc/924/task/924/attr/current
/proc/924/task/924/attr/keycreate
/proc/924/task/924/attr/sockcreate
/proc/926/attr/current
/proc/926/attr/exec
/proc/924/attr/keycreate
/proc/924/task/956/attr/current
/proc/924/task/956/attr/exec
/proc/924/task/924/attr/fscreate
/proc/924/task/924/attr/exec
/proc/924/task/956/attr/fscreate
/proc/924/task/956/attr/keycreate
/proc/924/task/956/attr/sockcreate
/proc/924/attr/fscreate
/proc/924/attr/sockcreate
/proc/924/timerslack_ns
/proc/926/task/926/attr/current
/proc/926/task/926/attr/keycreate
/proc/926/task/926/attr/sockcreate
/proc/926/attr/keycreate
/proc/926/attr/fscreate
/proc/926/attr/sockcreate
/proc/927/attr/fscreate
/proc/926/task/926/attr/fscreate
/proc/926/task/926/attr/exec
/proc/926/timerslack_ns
/proc/927/task/927/attr/keycreate
/proc/927/task/927/attr/sockcreate
/proc/927/attr/sockcreate
/proc/927/timerslack_ns
/proc/930/attr/sockcreate
/proc/930/task/930/attr/current
/proc/927/attr/current
/proc/927/attr/exec
/proc/927/task/927/attr/exec
/proc/927/task/927/attr/fscreate
/proc/927/attr/keycreate
/proc/927/task/927/attr/current
/proc/930/attr/current
/proc/930/task/930/attr/fscreate
/proc/930/task/930/attr/sockcreate
/proc/930/task/967/attr/fscreate
/proc/930/attr/keycreate
/proc/935/attr/current
/proc/930/task/967/attr/current
/proc/930/task/967/attr/keycreate
/proc/930/task/930/attr/exec
/proc/930/task/930/attr/keycreate
/proc/930/task/967/attr/exec
/proc/930/attr/fscreate
/proc/930/task/967/attr/sockcreate
/proc/930/attr/exec
/proc/930/timerslack_ns
/proc/935/task/935/attr/keycreate
/proc/935/task/935/attr/sockcreate
/proc/935/task/986/attr/current
/proc/935/task/984/attr/keycreate
/proc/951/attr/fscreate
/proc/935/task/935/attr/current
/proc/935/task/935/attr/fscreate
/proc/935/task/935/attr/exec
/proc/935/task/984/attr/exec
/proc/935/task/984/attr/fscreate
/proc/935/task/984/attr/current
/proc/935/task/984/attr/sockcreate
/proc/935/task/985/attr/exec
/proc/935/task/985/attr/fscreate
/proc/935/task/985/attr/keycreate
/proc/935/task/985/attr/sockcreate
/proc/935/task/986/attr/fscreate
/proc/935/task/985/attr/current
/proc/935/task/986/attr/exec
/proc/935/task/987/attr/exec
/proc/935/task/987/attr/fscreate
/proc/935/task/989/attr/current
/proc/935/task/986/attr/keycreate
/proc/935/task/986/attr/sockcreate
/proc/935/task/987/attr/keycreate
/proc/935/task/987/attr/sockcreate
/proc/935/task/989/attr/fscreate
/proc/935/task/987/attr/current
/proc/935/task/989/attr/exec
/proc/935/attr/keycreate
/proc/935/attr/sockcreate
/proc/935/task/989/attr/keycreate
/proc/935/task/989/attr/sockcreate
/proc/970/attr/fscreate
/proc/935/attr/exec
/proc/935/attr/fscreate
/proc/935/timerslack_ns
/proc/1446/attr/exec
/proc/951/task/951/attr/current
/proc/970/attr/current
/proc/951/task/951/attr/keycreate
/proc/951/task/951/attr/sockcreate
/proc/951/attr/current
/proc/951/attr/keycreate
/proc/951/attr/sockcreate
/proc/951/attr/exec
/proc/951/task/951/attr/fscreate
/proc/951/task/951/attr/exec
/proc/970/task/970/attr/current
/proc/951/timerslack_ns
/proc/970/task/970/attr/fscreate
/proc/970/task/970/attr/sockcreate
/proc/970/task/982/attr/current
/proc/988/attr/exec
/proc/970/attr/keycreate
/proc/970/task/982/attr/fscreate
/proc/970/task/970/attr/exec
/proc/970/task/970/attr/keycreate
/proc/970/task/982/attr/exec
/proc/970/task/982/attr/keycreate
/proc/970/task/982/attr/sockcreate
/proc/970/task/983/attr/current
/proc/970/task/983/attr/exec
/proc/970/task/983/attr/keycreate
/proc/970/task/983/attr/sockcreate
/proc/970/task/983/attr/fscreate
/proc/970/attr/exec
/proc/970/attr/sockcreate
/proc/970/timerslack_ns
/proc/988/task/988/attr/keycreate
/proc/988/task/988/attr/sockcreate
/proc/988/attr/current
/proc/988/attr/fscreate
/proc/988/attr/keycreate
/proc/988/attr/sockcreate
/proc/988/timerslack_ns
/proc/991/task/991/attr/current
/proc/988/task/988/attr/fscreate
/proc/988/task/988/attr/exec
/proc/988/task/988/attr/current
/proc/992/attr/current
/proc/991/task/991/attr/keycreate
/proc/991/task/991/attr/sockcreate
/proc/991/task/1089/attr/current
/proc/991/attr/current
/proc/991/attr/keycreate
/proc/991/task/1089/attr/keycreate
/proc/991/task/1089/attr/sockcreate
/proc/992/task/992/attr/current
/proc/991/task/1089/attr/exec
/proc/991/task/991/attr/fscreate
/proc/991/task/991/attr/exec
/proc/991/task/1089/attr/fscreate
/proc/991/attr/exec
/proc/991/attr/fscreate
/proc/991/attr/sockcreate
/proc/991/timerslack_ns
/proc/992/task/992/attr/fscreate
/proc/992/task/992/attr/sockcreate
/proc/992/attr/exec
/proc/992/attr/sockcreate
/proc/992/timerslack_ns
/proc/993/task/993/attr/current
/proc/993/attr/keycreate
/proc/992/task/992/attr/exec
/proc/992/task/992/attr/keycreate
/proc/992/attr/fscreate
/proc/992/attr/keycreate
/proc/993/task/993/attr/keycreate
/proc/993/task/993/attr/sockcreate
/proc/993/attr/exec
/proc/993/attr/sockcreate
/proc/993/timerslack_ns
/proc/1128/task/1128/attr/current
/proc/1128/attr/keycreate
/proc/1128/timerslack_ns
/proc/993/attr/current
/proc/993/task/993/attr/fscreate
/proc/993/task/993/attr/exec
/proc/993/attr/fscreate
/proc/1128/task/1128/attr/keycreate
/proc/1128/task/1128/attr/sockcreate
/proc/1128/task/1129/attr/current
/proc/1128/task/1129/attr/fscreate
/proc/1128/task/1129/attr/exec
/proc/1128/task/1130/attr/fscreate
/proc/1128/task/1130/attr/current
/proc/1128/attr/exec
/proc/1128/task/1129/attr/keycreate
/proc/1132/task/1132/attr/exec
/proc/1128/task/1128/attr/exec
/proc/1128/task/1128/attr/fscreate
/proc/1128/task/1129/attr/sockcreate
/proc/1128/task/1130/attr/exec
/proc/1128/task/1130/attr/keycreate
/proc/1128/task/1130/attr/sockcreate
/proc/1128/attr/current
/proc/1128/attr/fscreate
/proc/1128/attr/sockcreate
/proc/1132/attr/keycreate
/proc/1132/task/1132/attr/current
/proc/1132/task/1132/attr/sockcreate
/proc/1132/attr/exec
/proc/1132/attr/current
/proc/1132/attr/fscreate
/proc/1132/attr/sockcreate
/proc/1132/timerslack_ns
/proc/1133/task/1133/attr/exec
/proc/1132/task/1132/attr/fscreate
/proc/1132/task/1132/attr/keycreate
/proc/1133/task/1133/attr/keycreate
/proc/1133/task/1133/attr/sockcreate
/proc/1133/task/1289/attr/fscreate
/proc/1133/task/1293/attr/fscreate
/proc/1133/task/1293/attr/keycreate
/proc/1133/task/1289/attr/current
/proc/1133/task/1289/attr/exec
/proc/1133/task/1289/attr/keycreate
/proc/1133/task/1289/attr/sockcreate
/proc/1133/timerslack_ns
/proc/1137/task/1137/attr/exec
/proc/1395/attr/exec
/proc/1133/task/1133/attr/current
/proc/1133/task/1133/attr/fscreate
/proc/1133/task/1293/attr/exec
/proc/1133/task/1293/attr/sockcreate
/proc/1133/task/1294/attr/current
/proc/1133/task/1294/attr/exec
/proc/1133/task/1293/attr/current
/proc/1133/attr/exec
/proc/1133/attr/keycreate
/proc/1133/task/1294/attr/keycreate
/proc/1133/task/1294/attr/sockcreate
/proc/1133/task/1294/attr/fscreate
/proc/1133/attr/current
/proc/1133/attr/fscreate
/proc/1133/attr/sockcreate
/proc/1137/task/1137/attr/current
/proc/1137/task/1137/attr/keycreate
/proc/1137/task/1137/attr/sockcreate
/proc/1137/attr/exec
/proc/1137/attr/current
/proc/1137/attr/fscreate
/proc/1137/attr/keycreate
/proc/1137/attr/sockcreate
/proc/1137/timerslack_ns
/proc/1295/attr/exec
/proc/1137/task/1137/attr/fscreate
/proc/1295/task/1295/attr/exec
/proc/1295/task/1295/attr/keycreate
/proc/1295/task/1295/attr/sockcreate
/proc/1295/attr/fscreate
/proc/1295/attr/keycreate
/proc/1295/attr/sockcreate
/proc/1295/timerslack_ns
/proc/1395/task/1395/attr/exec
/proc/1295/task/1295/attr/current
/proc/1295/attr/current
/proc/1295/task/1295/attr/fscreate
/proc/1395/attr/current
/proc/1395/task/1395/attr/keycreate
/proc/1395/task/1395/attr/sockcreate
/proc/1395/task/1395/attr/current
/proc/1395/attr/fscreate
/proc/1395/attr/sockcreate
/proc/1395/timerslack_ns
/proc/1396/task/1396/attr/exec
/proc/1396/task/1396/attr/current
/proc/1396/attr/fscreate
/proc/1396/timerslack_ns
/proc/1395/task/1395/attr/fscreate
/proc/1395/attr/keycreate
/proc/1396/task/1396/attr/keycreate
/proc/1396/task/1396/attr/sockcreate
/proc/1396/attr/exec
/proc/1396/attr/sockcreate
/proc/1439/attr/fscreate
/proc/1439/task/1439/attr/exec
/proc/1439/attr/exec
/proc/1396/attr/current
/proc/1396/task/1396/attr/fscreate
/proc/1396/attr/keycreate
/proc/1441/attr/current
/proc/1439/attr/current
/proc/1439/task/1439/attr/keycreate
/proc/1439/task/1439/attr/sockcreate
/proc/1439/attr/keycreate
/proc/1439/attr/sockcreate
/proc/1439/timerslack_ns
/proc/1441/task/1441/attr/exec
/proc/1441/attr/exec
/proc/1439/task/1439/attr/current
/proc/1439/task/1439/attr/fscreate
/proc/1441/attr/fscreate
/proc/1441/attr/keycreate
/proc/1441/attr/sockcreate
/proc/1441/task/1441/attr/keycreate
/proc/1441/task/1441/attr/sockcreate
/proc/1441/timerslack_ns
/proc/1442/attr/exec
/proc/1441/task/1441/attr/current
/proc/1441/task/1441/attr/fscreate
/proc/1442/task/1442/attr/keycreate
/proc/1442/task/1442/attr/sockcreate
/proc/1442/task/1574/attr/fscreate
/proc/1442/attr/fscreate
/proc/1446/attr/current
/proc/1442/task/1565/attr/current
/proc/1442/task/1565/attr/exec
/proc/1442/task/1565/attr/keycreate
/proc/1442/attr/keycreate
/proc/1442/timerslack_ns
/proc/1442/task/1442/attr/exec
/proc/1442/task/1442/attr/current
/proc/1442/task/1442/attr/fscreate
/proc/1442/task/1565/attr/fscreate
/proc/1442/task/1565/attr/sockcreate
/proc/1442/task/1574/attr/exec
/proc/1442/task/1574/attr/current
/proc/1442/task/1574/attr/keycreate
/proc/1442/task/1574/attr/sockcreate
/proc/1442/attr/current
/proc/1446/attr/keycreate
/proc/1446/task/1446/attr/current
/proc/1442/attr/sockcreate
/proc/1446/attr/sockcreate
/proc/1446/task/1446/attr/exec
/proc/1446/task/1446/attr/keycreate
/proc/1446/task/1446/attr/sockcreate
/proc/1446/attr/fscreate
/proc/1446/timerslack_ns
/proc/1447/task/1447/attr/exec
/proc/1447/task/1447/attr/current
/proc/1446/task/1446/attr/fscreate
/proc/1447/attr/current
/proc/1447/task/1447/attr/sockcreate
/proc/1447/attr/exec
/proc/1447/attr/fscreate
/proc/1447/attr/keycreate
/proc/1447/attr/sockcreate
/proc/1447/timerslack_ns
/proc/1448/task/1448/attr/exec
/proc/1447/task/1447/attr/fscreate
/proc/1447/task/1447/attr/keycreate
/proc/1449/attr/exec
/proc/1448/task/1448/attr/keycreate
/proc/1448/task/1448/attr/sockcreate
/proc/1448/attr/exec
/proc/1448/attr/fscreate
/proc/1448/attr/current
/proc/1448/attr/keycreate
/proc/1448/attr/sockcreate
/proc/1448/timerslack_ns
/proc/1449/task/1449/attr/current
/proc/1448/task/1448/attr/current
/proc/1448/task/1448/attr/fscreate
/proc/3457/attr/exec
/proc/1449/task/1449/attr/exec
/proc/1449/task/1449/attr/sockcreate
/proc/1449/attr/current
/proc/1449/attr/keycreate
/proc/1449/attr/fscreate
/proc/1449/attr/sockcreate
/proc/1449/timerslack_ns
/proc/3457/task/3457/attr/exec
/proc/1449/task/1449/attr/fscreate
/proc/1449/task/1449/attr/keycreate
/proc/3457/task/4337/attr/exec
/proc/3457/task/3457/attr/current
/proc/3457/task/3457/attr/keycreate
/proc/3457/task/3457/attr/sockcreate
/proc/3457/task/4336/attr/exec
/proc/3457/task/4336/attr/fscreate
/proc/3457/task/4338/attr/exec
/proc/3457/task/4336/attr/current
/proc/3457/attr/keycreate
/proc/3457/timerslack_ns
/proc/278441/task/278441/attr/exec
/proc/3457/task/3457/attr/fscreate
/proc/3457/task/4336/attr/keycreate
/proc/3457/task/4336/attr/sockcreate
/proc/3457/task/4337/attr/current
/proc/3457/task/4340/attr/fscreate
/proc/3457/attr/fscreate
/proc/3457/task/4338/attr/fscreate
/proc/3457/task/4337/attr/fscreate
/proc/3457/task/4337/attr/keycreate
/proc/3457/task/4337/attr/sockcreate
/proc/3457/task/4338/attr/current
/proc/3457/task/4338/attr/keycreate
/proc/3457/task/4338/attr/sockcreate
/proc/3457/task/4340/attr/current
/proc/3457/task/4340/attr/exec
/proc/278441/attr/current
/proc/3457/task/4340/attr/keycreate
/proc/3457/task/4340/attr/sockcreate
/proc/3457/attr/current
/proc/3457/attr/sockcreate
/proc/278441/task/278441/attr/current
/proc/278441/task/278441/attr/keycreate
/proc/278441/task/278441/attr/sockcreate
/proc/278441/attr/fscreate
/proc/278441/attr/exec
/proc/278441/attr/sockcreate
/proc/278441/timerslack_ns
/proc/278441/task/278441/attr/fscreate
/proc/278441/attr/keycreate
/proc/395365/task/395365/attr/sockcreate
/proc/395365/attr/fscreate
/proc/395365/task/395365/attr/exec
/proc/395365/task/395365/attr/current
/proc/395365/attr/exec
/proc/395365/attr/sockcreate
/proc/395365/timerslack_ns
/proc/395457/task/395457/attr/exec
/proc/395457/attr/fscreate
/proc/395365/task/395365/attr/fscreate
/proc/395365/task/395365/attr/keycreate
/proc/395365/attr/current
/proc/395365/attr/keycreate
/proc/395457/attr/exec
/proc/395457/attr/current
/proc/395457/task/395457/attr/current
/proc/395457/task/395457/attr/keycreate
/proc/395457/task/395457/attr/sockcreate
/proc/395457/attr/sockcreate
/proc/395457/timerslack_ns
/proc/395738/attr/fscreate
/proc/395457/task/395457/attr/fscreate
/proc/395457/attr/keycreate
/proc/395738/attr/exec
/proc/395738/attr/current
/proc/395738/task/395738/attr/current
/proc/395738/task/395738/attr/keycreate
/proc/395738/task/395738/attr/sockcreate
/proc/395738/attr/sockcreate
/proc/395738/timerslack_ns
/proc/395757/attr/current
/proc/395751/attr/current
/proc/395738/task/395738/attr/exec
/proc/395738/task/395738/attr/fscreate
/proc/395738/attr/keycreate
/proc/395751/attr/fscreate
/proc/395751/task/395751/attr/current
/proc/395751/task/395751/attr/keycreate
/proc/395751/task/395751/attr/sockcreate
/proc/395751/attr/exec
/proc/395751/attr/keycreate
/proc/395751/attr/sockcreate
/proc/395757/attr/exec
/proc/395751/task/395751/attr/exec
/proc/395751/task/395751/attr/fscreate
/proc/395751/timerslack_ns
/proc/395757/task/395757/attr/keycreate
/proc/395757/task/395757/attr/sockcreate
/proc/395757/task/395757/attr/exec
/proc/395757/attr/fscreate
/proc/395757/attr/keycreate
/proc/395757/attr/sockcreate
/proc/395757/timerslack_ns
/proc/395759/task/395759/attr/exec
/proc/395759/attr/current
/proc/395757/task/395757/attr/fscreate
/proc/395757/task/395757/attr/current
/proc/395759/task/395759/attr/current
/proc/395759/task/395759/attr/sockcreate
/proc/395766/attr/exec
/proc/395759/timerslack_ns
/proc/395760/task/395760/attr/exec
/proc/395759/attr/sockcreate
/proc/395760/attr/exec
/proc/395760/attr/fscreate
/proc/395759/task/395759/attr/fscreate
/proc/395759/task/395759/attr/keycreate
/proc/395759/attr/fscreate
/proc/395759/attr/exec
/proc/395759/attr/keycreate
/proc/395760/task/395760/attr/current
/proc/395760/task/395760/attr/keycreate
/proc/395760/task/395760/attr/sockcreate
/proc/395760/attr/keycreate
/proc/395760/attr/sockcreate
/proc/395766/attr/fscreate
/proc/399947/attr/current
/proc/395766/task/395766/attr/exec
/proc/395766/attr/current
/proc/395760/task/395760/attr/fscreate
/proc/395760/attr/current
/proc/395760/timerslack_ns
/proc/395766/task/395766/attr/current
/proc/395766/task/395766/attr/keycreate
/proc/395766/task/395766/attr/sockcreate
/proc/395766/attr/sockcreate
/proc/395766/timerslack_ns
/proc/399947/attr/keycreate
/proc/395766/task/395766/attr/fscreate
/proc/395766/attr/keycreate
/proc/399947/attr/exec
/proc/399947/task/399947/attr/current
/proc/399947/task/399947/attr/exec
/proc/399947/task/399947/attr/keycreate
/proc/399947/task/399947/attr/sockcreate
/proc/399947/timerslack_ns
/proc/399947/attr/fscreate
/proc/399947/task/399947/attr/fscreate
/proc/399947/attr/sockcreate
/proc/451716/attr/fscreate
/proc/451716/task/451716/attr/current
/proc/451716/task/451716/attr/keycreate
/proc/451716/task/451716/attr/sockcreate
/proc/451716/task/451716/attr/exec
/proc/451716/attr/sockcreate
/proc/451716/timerslack_ns
/proc/493723/task/493723/attr/exec
/proc/451716/attr/current
/proc/493723/attr/current
/proc/451716/task/451716/attr/fscreate
/proc/451716/attr/keycreate
/proc/493723/task/493723/attr/current
/proc/493723/task/493723/attr/keycreate
/proc/493723/task/493723/attr/sockcreate
/proc/493723/attr/fscreate
/proc/493723/attr/exec
/proc/493723/timerslack_ns
/proc/499826/attr/keycreate
/proc/493723/attr/sockcreate
/proc/499826/task/499826/attr/exec
/proc/493723/task/493723/attr/fscreate
/proc/493723/attr/keycreate
/proc/499826/task/499826/attr/current
/proc/499826/task/499826/attr/keycreate
/proc/499826/task/499826/attr/sockcreate
/proc/499826/attr/exec
/proc/499826/attr/fscreate
/proc/499826/timerslack_ns
/proc/502165/task/502165/attr/exec
/proc/502165/attr/keycreate
/proc/499826/task/499826/attr/fscreate
/proc/499826/attr/current
/proc/499826/attr/sockcreate
/proc/502165/attr/current
/proc/502165/task/502165/attr/keycreate
/proc/502165/task/502165/attr/sockcreate
/proc/509560/attr/exec
/proc/502165/task/502165/attr/current
/proc/502165/attr/fscreate
/proc/502165/timerslack_ns
/proc/509539/attr/current
/proc/502165/task/502165/attr/fscreate
/proc/502165/attr/exec
/proc/502165/attr/sockcreate
/proc/509539/task/509539/attr/current
/proc/509539/task/509539/attr/exec
/proc/509539/task/509539/attr/keycreate
/proc/509539/task/509539/attr/sockcreate
/proc/509539/attr/exec
/proc/509539/attr/fscreate
/proc/509539/attr/sockcreate
/proc/509539/attr/keycreate
/proc/509560/attr/fscreate
/proc/509562/attr/exec
/proc/509539/task/509539/attr/fscreate
/proc/509539/timerslack_ns
/proc/509560/task/509560/attr/sockcreate
/proc/509560/attr/current
/proc/509560/task/509560/attr/current
/proc/509560/attr/sockcreate
/proc/509560/timerslack_ns
/proc/509562/attr/fscreate
/proc/509563/task/509563/attr/exec
/proc/509562/attr/current
/proc/509560/task/509560/attr/exec
/proc/509560/task/509560/attr/fscreate
/proc/509560/task/509560/attr/keycreate
/proc/509560/attr/keycreate
/proc/509562/task/509562/attr/sockcreate
/proc/509562/task/509562/attr/current
/proc/509562/task/509562/attr/exec
/proc/509562/attr/sockcreate
/proc/509562/timerslack_ns
/proc/509562/task/509562/attr/fscreate
/proc/509562/task/509562/attr/keycreate
/proc/509562/attr/keycreate
/proc/509563/task/509563/attr/current
/proc/509563/task/509563/attr/keycreate
/proc/509563/task/509563/attr/sockcreate
/proc/509566/attr/exec
/proc/509563/attr/fscreate
/proc/509563/attr/exec
/proc/509563/attr/current
/proc/509563/attr/keycreate
/proc/509563/attr/sockcreate
/proc/509563/task/509563/attr/fscreate
/proc/509563/timerslack_ns
/proc/509564/task/509564/attr/current
/proc/509564/task/509564/attr/keycreate
/proc/509564/task/509564/attr/sockcreate
/proc/509564/attr/exec
/proc/509564/task/509564/attr/exec
/proc/509564/attr/fscreate
/proc/509564/attr/sockcreate
/proc/509564/attr/keycreate
/proc/509564/attr/current
/proc/509564/task/509564/attr/fscreate
/proc/509564/timerslack_ns
/proc/509566/task/509566/attr/fscreate
/proc/509566/task/509566/attr/current
/proc/509566/task/509566/attr/keycreate
/proc/509566/task/509566/attr/exec
/proc/509566/task/509567/attr/fscreate
/proc/509566/task/509567/attr/exec
/proc/509566/task/509566/attr/sockcreate
/proc/509566/task/509567/attr/current
/proc/509566/task/509567/attr/keycreate
/proc/509566/task/509567/attr/sockcreate
/proc/509566/task/509568/attr/fscreate
/proc/509566/task/509568/attr/exec
/proc/509566/task/509568/attr/keycreate
/proc/509566/task/509568/attr/sockcreate
/proc/509566/task/509568/attr/current
/proc/509566/task/509569/attr/current
/proc/509566/task/509569/attr/sockcreate
/proc/509566/task/509571/attr/fscreate
/proc/509566/task/509571/attr/exec
/proc/509566/task/509569/attr/keycreate
/proc/509566/task/509569/attr/fscreate
/proc/509566/task/509569/attr/exec
/proc/509566/task/509571/attr/keycreate
/proc/509566/task/509571/attr/sockcreate
/proc/509566/task/509571/attr/current
/proc/509566/task/509572/attr/exec
/proc/509566/task/509572/attr/keycreate
/proc/509566/task/509573/attr/fscreate
/proc/509566/task/509572/attr/fscreate
/proc/509566/task/509572/attr/current
/proc/509566/task/509572/attr/sockcreate
/proc/509566/task/509573/attr/exec
/proc/509566/task/509573/attr/keycreate
/proc/509566/task/509573/attr/sockcreate
/proc/509566/task/509573/attr/current
/proc/509566/task/509575/attr/exec
/proc/509566/task/509575/attr/keycreate
/proc/509566/task/509576/attr/fscreate
/proc/509566/task/509575/attr/current
/proc/509566/task/509576/attr/exec
/proc/509566/task/509575/attr/fscreate
/proc/509566/task/509575/attr/sockcreate
/proc/509566/task/509576/attr/keycreate
/proc/509566/task/509576/attr/sockcreate
/proc/509566/task/509576/attr/current
/proc/509566/task/509577/attr/exec
/proc/509566/task/509577/attr/keycreate
/proc/509566/task/509579/attr/fscreate
/proc/509566/task/509577/attr/fscreate
/proc/509566/task/509577/attr/current
/proc/509566/task/509577/attr/sockcreate
/proc/509566/task/509579/attr/exec
/proc/509566/task/509579/attr/keycreate
/proc/509566/task/509579/attr/sockcreate
/proc/509566/task/509579/attr/current
/proc/509566/task/509580/attr/exec
/proc/509566/task/509580/attr/keycreate
/proc/509566/task/509581/attr/fscreate
/proc/509566/task/509580/attr/current
/proc/509566/task/509581/attr/exec
/proc/509566/task/509580/attr/fscreate
/proc/509566/task/509580/attr/sockcreate
/proc/509566/task/509581/attr/keycreate
/proc/509566/task/509581/attr/sockcreate
/proc/509566/task/509581/attr/current
/proc/509566/task/509583/attr/exec
/proc/509566/task/509583/attr/keycreate
/proc/509566/task/509584/attr/fscreate
/proc/509566/task/509583/attr/fscreate
/proc/509566/task/509583/attr/current
/proc/509566/task/509583/attr/sockcreate
/proc/509566/task/509584/attr/exec
/proc/509566/task/509584/attr/keycreate
/proc/509566/task/509584/attr/sockcreate
/proc/509566/task/509584/attr/current
/proc/509566/task/509585/attr/exec
/proc/509566/task/509585/attr/keycreate
/proc/509566/task/509587/attr/fscreate
/proc/509566/task/509585/attr/current
/proc/509566/task/509587/attr/exec
/proc/509566/task/509585/attr/fscreate
/proc/509566/task/509585/attr/sockcreate
/proc/509566/task/509587/attr/keycreate
/proc/509566/task/509587/attr/sockcreate
/proc/509566/task/509587/attr/current
/proc/509566/task/509588/attr/exec
/proc/509566/task/509588/attr/keycreate
/proc/509566/task/509589/attr/fscreate
/proc/509566/task/509588/attr/fscreate
/proc/509566/task/509588/attr/current
/proc/509566/task/509588/attr/sockcreate
/proc/509566/task/509589/attr/exec
/proc/509566/task/509589/attr/keycreate
/proc/509566/task/509589/attr/sockcreate
/proc/509566/task/509589/attr/current
/proc/509566/task/509592/attr/exec
/proc/509566/task/509592/attr/keycreate
/proc/509566/task/509593/attr/fscreate
/proc/509566/task/509592/attr/current
/proc/509566/task/509593/attr/exec
/proc/509566/task/509592/attr/fscreate
/proc/509566/task/509592/attr/sockcreate
/proc/509566/task/509593/attr/keycreate
/proc/509566/task/509593/attr/sockcreate
/proc/509566/task/509593/attr/current
/proc/509566/task/509594/attr/exec
/proc/509566/task/509594/attr/keycreate
/proc/509566/task/509607/attr/fscreate
/proc/509566/task/509594/attr/fscreate
/proc/509566/task/509594/attr/current
/proc/509566/task/509594/attr/sockcreate
/proc/509566/task/509607/attr/exec
/proc/509566/task/509607/attr/keycreate
/proc/509566/task/509607/attr/sockcreate
/proc/509566/task/509607/attr/current
/proc/509566/task/509608/attr/exec
/proc/509566/task/509608/attr/keycreate
/proc/509566/task/509609/attr/fscreate
/proc/509566/task/509608/attr/current
/proc/509566/task/509609/attr/exec
/proc/509566/task/509608/attr/fscreate
/proc/509566/task/509608/attr/sockcreate
/proc/509566/task/509609/attr/keycreate
/proc/509566/task/509609/attr/sockcreate
/proc/509566/task/509609/attr/current
/proc/509566/task/509612/attr/exec
/proc/509566/task/509612/attr/keycreate
/proc/509566/task/509613/attr/fscreate
/proc/509566/task/509612/attr/fscreate
/proc/509566/task/509612/attr/current
/proc/509566/task/509612/attr/sockcreate
/proc/509566/task/509613/attr/exec
/proc/509566/task/509613/attr/keycreate
/proc/509566/task/509613/attr/sockcreate
/proc/509566/task/509613/attr/current
/proc/509566/task/509614/attr/exec
/proc/509566/task/509614/attr/keycreate
/proc/509566/task/509616/attr/fscreate
/proc/509566/task/509614/attr/current
/proc/509566/task/509616/attr/exec
/proc/509566/task/509614/attr/fscreate
/proc/509566/task/509614/attr/sockcreate
/proc/509566/task/509616/attr/keycreate
/proc/509566/task/509616/attr/sockcreate
/proc/509566/task/509616/attr/current
/proc/509566/task/509617/attr/exec
/proc/509566/task/509617/attr/keycreate
/proc/509566/task/509618/attr/fscreate
/proc/509566/task/509617/attr/fscreate
/proc/509566/task/509617/attr/current
/proc/509566/task/509617/attr/sockcreate
/proc/509566/task/509618/attr/exec
/proc/509566/task/509618/attr/keycreate
/proc/509566/task/509618/attr/sockcreate
/proc/509566/task/509618/attr/current
/proc/509566/task/509621/attr/exec
/proc/509566/task/509621/attr/keycreate
/proc/509566/task/509622/attr/fscreate
/proc/509566/task/509621/attr/current
/proc/509566/task/509622/attr/exec
/proc/509566/task/509621/attr/fscreate
/proc/509566/task/509621/attr/sockcreate
/proc/509566/task/509622/attr/keycreate
/proc/509566/task/509622/attr/sockcreate
/proc/509566/task/509622/attr/current
/proc/509566/task/509623/attr/exec
/proc/509566/task/509623/attr/keycreate
/proc/509566/task/509632/attr/fscreate
/proc/509566/task/509623/attr/fscreate
/proc/509566/task/509623/attr/current
/proc/509566/task/509623/attr/sockcreate
/proc/509566/task/509632/attr/exec
/proc/509566/task/509632/attr/keycreate
/proc/509566/task/509632/attr/sockcreate
/proc/509566/task/509632/attr/current
/proc/509566/task/509633/attr/exec
/proc/509566/task/509633/attr/keycreate
/proc/509566/task/509634/attr/fscreate
/proc/509566/task/509633/attr/current
/proc/509566/task/509634/attr/exec
/proc/509566/task/509633/attr/fscreate
/proc/509566/task/509633/attr/sockcreate
/proc/509566/task/509634/attr/keycreate
/proc/509566/task/509634/attr/sockcreate
/proc/509566/task/509634/attr/current
/proc/509566/task/509639/attr/exec
/proc/509566/task/509639/attr/keycreate
/proc/509566/task/509640/attr/fscreate
/proc/509566/task/509639/attr/fscreate
/proc/509566/task/509639/attr/current
/proc/509566/task/509639/attr/sockcreate
/proc/509566/task/509640/attr/exec
/proc/509566/task/509640/attr/keycreate
/proc/509566/task/509640/attr/sockcreate
/proc/509566/task/509640/attr/current
/proc/509566/task/509641/attr/exec
/proc/509566/task/509641/attr/keycreate
/proc/509566/task/509659/attr/fscreate
/proc/509566/task/509641/attr/current
/proc/509566/task/509659/attr/exec
/proc/509566/task/509641/attr/fscreate
/proc/509566/task/509641/attr/sockcreate
/proc/509566/task/509659/attr/keycreate
/proc/509566/task/509659/attr/sockcreate
/proc/509566/task/509659/attr/current
/proc/509566/task/509660/attr/exec
/proc/509566/task/509660/attr/keycreate
/proc/509566/task/509661/attr/fscreate
/proc/509566/task/509660/attr/fscreate
/proc/509566/task/509660/attr/current
/proc/509566/task/509660/attr/sockcreate
/proc/509566/task/509661/attr/exec
/proc/509566/task/509661/attr/keycreate
/proc/509566/task/509661/attr/sockcreate
/proc/509566/task/509661/attr/current
/proc/509566/task/509709/attr/exec
/proc/509566/task/509709/attr/keycreate
/proc/509566/task/509710/attr/fscreate
/proc/509566/task/509709/attr/current
/proc/509566/task/509710/attr/exec
/proc/509566/task/509709/attr/fscreate
/proc/509566/task/509709/attr/sockcreate
/proc/509566/task/509710/attr/keycreate
/proc/509566/task/509710/attr/sockcreate
/proc/509566/task/509710/attr/current
/proc/509566/task/509711/attr/exec
/proc/509566/task/509711/attr/keycreate
/proc/509566/task/509726/attr/fscreate
/proc/509566/task/509711/attr/fscreate
/proc/509566/task/509711/attr/current
/proc/509566/task/509711/attr/sockcreate
/proc/509566/task/509726/attr/exec
/proc/509566/task/509726/attr/keycreate
/proc/509566/task/509726/attr/sockcreate
/proc/509566/task/509726/attr/current
/proc/509566/task/509727/attr/exec
/proc/509566/task/509727/attr/keycreate
/proc/509566/task/509728/attr/fscreate
/proc/509566/task/509727/attr/current
/proc/509566/task/509728/attr/exec
/proc/509566/task/509727/attr/fscreate
/proc/509566/task/509727/attr/sockcreate
/proc/509566/task/509728/attr/keycreate
/proc/509566/task/509728/attr/sockcreate
/proc/509566/task/509728/attr/current
/proc/509566/task/509747/attr/exec
/proc/509566/task/509747/attr/keycreate
/proc/509566/attr/current
/proc/509566/attr/keycreate
/proc/509566/task/509747/attr/fscreate
/proc/509566/task/509747/attr/current
/proc/509566/task/509747/attr/sockcreate
/proc/509566/attr/fscreate
/proc/509566/attr/sockcreate
/proc/509566/timerslack_ns
/sys/fs/selinux/access
/sys/fs/selinux/context
/sys/fs/cgroup/memory/user.slice/cgroup.event_control
/sys/fs/selinux/create
/sys/fs/selinux/member
/sys/fs/cgroup/memory/user.slice/user-1000.slice/user-runtime-dir@1000.service/cgroup.event_control
/sys/fs/cgroup/memory/init.scope/cgroup.event_control
/sys/fs/selinux/user
/sys/fs/selinux/relabel
/sys/fs/cgroup/memory/user.slice/user-1000.slice/session-17.scope/cgroup.event_control
/sys/fs/cgroup/memory/user.slice/user-1000.slice/cgroup.event_control
/sys/fs/cgroup/memory/user.slice/user-1000.slice/user@1000.service/cgroup.event_control
/sys/fs/cgroup/memory/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/rngd.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/system-systemd\x2dfsck.slice/systemd-fsck@dev-disk-by\x2duuid-F5ED\x2dF457.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/systemd-update-utmp.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/libstoragemgmt.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/system-systemd\x2dfsck.slice/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/irqbalance.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/iscsid.socket/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/systemd-udevd-control.socket/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/lvm2-monitor.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/systemd-journal-flush.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/systemd-sysctl.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/systemd-udevd.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/systemd-udevd-kernel.socket/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/system-serial\x2dgetty.slice/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/system-serial\x2dgetty.slice/serial-getty@ttyS0.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/rngd-wake-threshold.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/boot.mount/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/import-state.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/sys-kernel-config.mount/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/polkit.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/systemd-remount-fs.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/chronyd.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/sys-kernel-debug.mount/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/lvm2-lvmpolld.socket/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/auditd.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/home.mount/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/mnt.mount/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/tuned.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/system-sshd\x2dkeygen.slice/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/systemd-tmpfiles-setup.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/-.mount/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/systemd-journald-dev-log.socket/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/systemd-coredump.socket/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/kdump.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/cloud-init-local.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/systemd-journald.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/atd.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/systemd-udev-trigger.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/sshd.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/vdo.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/dev-mqueue.mount/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/crond.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/systemd-initctl.socket/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/NetworkManager.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/iscsi-shutdown.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/systemd-random-seed.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/dbus.socket/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/cloud-final.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/usr.mount/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/rsyslog.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/systemd-modules-load.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/tmp.mount/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/firewalld.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/boot-efi.mount/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/systemd-udev-settle.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/sys-kernel-tracing.mount/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/systemd-tmpfiles-setup-dev.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/cloud-config.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/sys-kernel-debug-tracing.mount/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/var.mount/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/sssd.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/systemd-journald.socket/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/kmod-static-nodes.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/proc-sys-fs-binfmt_misc.mount/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/hypervkvpd.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/sssd-kcm.socket/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/rhsmcertd.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/iscsiuio.socket/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/mcelog.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/systemd-resolved.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/system-lvm2\x2dpvscan.slice/lvm2-pvscan@8:2.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/system-lvm2\x2dpvscan.slice/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/cloud-init.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/multipathd.socket/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/nis-domainname.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/dev-hugepages.mount/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/dbus.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/system-getty.slice/getty@tty1.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/dracut-shutdown.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/NetworkManager-wait-online.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/system-getty.slice/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/systemd-user-sessions.service/cgroup.event_control
/sys/fs/cgroup/memory/azure.slice/waagent.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/dm-event.socket/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/smartd.service/cgroup.event_control
/sys/fs/cgroup/memory/system.slice/systemd-logind.service/cgroup.event_control
/sys/fs/cgroup/memory/azure.slice/cgroup.event_control
(\.bashrc|\.zshrc|\.cshrc|\.profile|\.bash_login|\.bash_profile)
/home/azureuser
no value1
All Interactive Users Home Directories Must Existxccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_exists mediumCCE-83424-2

All Interactive Users Home Directories Must Exist

Rule IDxccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_exists
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-accounts_user_interactive_home_directory_exists:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83424-2

References:  CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010750, 6.2.9, SV-230323r627750_rule

Description
Create home directories to all interactive users that currently do not have a home directory assigned. Use the following commands to create the user home directory assigned in /etc/passwd:
$ sudo mkdir /home/USER
Rationale
If a local interactive user has a home directory defined that does not exist, the user may be given access to the / directory as the current working directory upon logon. This could create a Denial of Service because the user would not be able to access their logon configuration files, and it may give them visibility to system files they normally would not be able to access.
OVAL test results details

Check the existence of interactive users.  oval:ssg-test_accounts_user_interactive_home_directory_exists:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-var_accounts_user_interactive_home_directory_exists_dirs_count_fs:var:11

Check the existence of interactive users.  oval:ssg-test_accounts_user_interactive_home_directory_exists_users:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-var_accounts_user_interactive_home_directory_exists_dirs_count:var:11
All Interactive User Home Directories Must Be Group-Owned By The Primary Userxccdf_org.ssgproject.content_rule_file_groupownership_home_directories mediumCCE-83434-1

All Interactive User Home Directories Must Be Group-Owned By The Primary User

Rule IDxccdf_org.ssgproject.content_rule_file_groupownership_home_directories
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_groupownership_home_directories:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83434-1

References:  CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010740, 6.2.10, SV-230322r743963_rule

Description
Change the group owner of interactive users home directory to the group found in /etc/passwd. To change the group owner of interactive users home directory, use the following command:
$ sudo chgrp USER_GROUP /home/USER
This rule ensures every home directory related to an interactive user is group-owned by an interactive user. It also ensures that interactive users are group-owners of one and only one home directory.
Rationale
If the Group Identifier (GID) of a local interactive users home directory is not the same as the primary GID of the user, this would allow unauthorized access to the users files, and users that share the same group may not be able to access files that they legitimately should.
Warnings
warning  Due to OVAL limitation, this rule can report a false negative in a specific situation where two interactive users swap the group-ownership of their respective home directories.
OVAL test results details

All home directories are group-owned by a local interactive group  oval:ssg-test_file_groupownership_home_directories:tst:1  true

Following items have been found on the system:
PathTypeUIDGIDSize (B)Permissions
/home/azureuser/directory10001000182rwx------ 
All Interactive User Home Directories Must Be Owned By The Primary Userxccdf_org.ssgproject.content_rule_file_ownership_home_directories mediumCCE-86131-0

All Interactive User Home Directories Must Be Owned By The Primary User

Rule IDxccdf_org.ssgproject.content_rule_file_ownership_home_directories
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_ownership_home_directories:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-86131-0

References:  CCI-000366, SRG-OS-000480-GPOS-00227, 6.2.10

Description
Change the owner of interactive users home directories to that correct owner. To change the owner of a interactive users home directory, use the following command:
$ sudo chown USER /home/USER
This rule ensures every home directory related to an interactive user is owned by an interactive user. It also ensures that interactive users are owners of one and only one home directory.
Rationale
If a local interactive user does not own their home directory, unauthorized users could access or modify the user's files, and the users may not be able to access their own files.
Warnings
warning  Due to OVAL limitation, this rule can report a false negative in a specific situation where two interactive users swap the ownership of their respective home directories.
OVAL test results details

All home directories are owned by a local interactive user  oval:ssg-test_file_ownership_home_directories:tst:1  true

Following items have been found on the system:
PathTypeUIDGIDSize (B)Permissions
/home/azureuser/directory10001000182rwx------ 

It should not exist duplicated owners of home dirs  oval:ssg-test_file_ownership_home_directories_duplicated:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-var_file_ownership_home_directories_uids_count:var:11
All Interactive User Home Directories Must Have mode 0750 Or Less Permissivexccdf_org.ssgproject.content_rule_file_permissions_home_directories mediumCCE-84038-9

All Interactive User Home Directories Must Have mode 0750 Or Less Permissive

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_home_directories
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_permissions_home_directories:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-84038-9

References:  CCI-000366, SRG-OS-000480-GPOS-00227, RHEL-08-010730, 6.2.11, SV-230321r627750_rule

Description
Change the mode of interactive users home directories to 0750. To change the mode of interactive users home directory, use the following command:
$ sudo chmod 0750 /home/USER
Rationale
Excessive permissions on local interactive user home directories may allow unauthorized access to user files by other users.
OVAL test results details

All home directories have proper permissions  oval:ssg-test_file_permissions_home_directories:tst:1  true

Following items have been found on the system:
PathTypeUIDGIDSize (B)Permissions
/home/azureuser/directory10001000182rwx------ 
Enable authselectxccdf_org.ssgproject.content_rule_enable_authselect mediumCCE-88248-0

Enable authselect

Rule IDxccdf_org.ssgproject.content_rule_enable_authselect
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-enable_authselect:def:1
Time2022-11-07T15:05:07+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-88248-0

References:  BP28(R5), CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), AC-3, FIA_UAU.1, FIA_AFL.1, SRG-OS-000480-GPOS-00227, 1.2.3

Description
Configure user authentication setup to use the authselect tool. If authselect profile is selected, the rule will enable the sssd profile.
Rationale
Authselect is a successor to authconfig. It is a tool to select system authentication and identity sources from a list of supported profiles instead of letting the administrator manually build the PAM stack. That way, it avoids potential breakage of configuration, as it ships several tested profiles that are well tested and supported to solve different use-cases.
Warnings
warning  If the sudo authselect select command returns an error informing that the chosen profile cannot be selected, it is probably because PAM files have already been modified by the administrator. If this is the case, in order to not overwrite the desired changes made by the administrator, the current PAM settings should be investigated before forcing the selection of the chosen authselect profile.
OVAL test results details

The 'fingerprint-auth' PAM config is a symlink to its authselect counterpart  oval:ssg-test_pam_fingerprint_symlinked_to_authselect:tst:1  true

Following items have been found on the system:
FilepathCanonical path
/etc/pam.d/fingerprint-auth/etc/authselect/fingerprint-auth

The 'password-auth' PAM config is a symlink to its authselect counterpart  oval:ssg-test_pam_password_symlinked_to_authselect:tst:1  true

Following items have been found on the system:
FilepathCanonical path
/etc/pam.d/password-auth/etc/authselect/password-auth

The 'postlogin' PAM config is a symlink to its authselect counterpart  oval:ssg-test_pam_postlogin_symlinked_to_authselect:tst:1  true

Following items have been found on the system:
FilepathCanonical path
/etc/pam.d/postlogin/etc/authselect/postlogin

The 'smartcard-auth' PAM config is a symlink to its authselect counterpart  oval:ssg-test_pam_smartcard_symlinked_to_authselect:tst:1  true

Following items have been found on the system:
FilepathCanonical path
/etc/pam.d/smartcard-auth/etc/authselect/smartcard-auth

The 'system-auth' PAM config is a symlink to its authselect counterpart  oval:ssg-test_pam_system_symlinked_to_authselect:tst:1  true

Following items have been found on the system:
FilepathCanonical path
/etc/pam.d/system-auth/etc/authselect/system-auth
Record Events that Modify the System's Discretionary Access Controls - chmodxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod mediumCCE-80685-1

Record Events that Modify the System's Discretionary Access Controls - chmod

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_dac_modification_chmod:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80685-1

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000458-VMM-001810, SRG-OS-000474-VMM-001940, RHEL-08-030490, 4.1.3.9, SV-230456r810462_rule

Description
At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=unset -F key=perm_mod
Rationale
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit chmod  oval:ssg-test_32bit_ardm_chmod_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

audit augenrules 64-bit chmod  oval:ssg-test_64bit_ardm_chmod_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit chmod  oval:ssg-test_32bit_ardm_chmod_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

audit auditctl 64-bit chmod  oval:ssg-test_64bit_ardm_chmod_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
Record Events that Modify the System's Discretionary Access Controls - chownxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown mediumCCE-80686-9

Record Events that Modify the System's Discretionary Access Controls - chown

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_dac_modification_chown:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80686-9

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, SRG-OS-000458-VMM-001810, SRG-OS-000474-VMM-001940, RHEL-08-030480, 4.1.3.9, SV-230455r810459_rule

Description
At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=unset -F key=perm_mod
Rationale
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit chown  oval:ssg-test_32bit_ardm_chown_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

audit augenrules 64-bit chown  oval:ssg-test_64bit_ardm_chown_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit chown  oval:ssg-test_32bit_ardm_chown_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

audit auditctl 64-bit chown  oval:ssg-test_64bit_ardm_chown_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
Record Events that Modify the System's Discretionary Access Controls - fchmodxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod mediumCCE-80687-7

Record Events that Modify the System's Discretionary Access Controls - fchmod

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_dac_modification_fchmod:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80687-7

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000458-VMM-001810, SRG-OS-000474-VMM-001940, RHEL-08-030490, 4.1.3.9, SV-230456r810462_rule

Description
At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=unset -F key=perm_mod
Rationale
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit fchmod  oval:ssg-test_32bit_ardm_fchmod_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

audit augenrules 64-bit fchmod  oval:ssg-test_64bit_ardm_fchmod_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit fchmod  oval:ssg-test_32bit_ardm_fchmod_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

audit auditctl 64-bit fchmod  oval:ssg-test_64bit_ardm_fchmod_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
Record Events that Modify the System's Discretionary Access Controls - fchmodatxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat mediumCCE-80688-5

Record Events that Modify the System's Discretionary Access Controls - fchmodat

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_dac_modification_fchmodat:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80688-5

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000458-VMM-001810, SRG-OS-000474-VMM-001940, RHEL-08-030490, 4.1.3.9, SV-230456r810462_rule

Description
At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
Rationale
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit fchmodat  oval:ssg-test_32bit_ardm_fchmodat_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

audit augenrules 64-bit fchmodat  oval:ssg-test_64bit_ardm_fchmodat_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit fchmodat  oval:ssg-test_32bit_ardm_fchmodat_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

audit auditctl 64-bit fchmodat  oval:ssg-test_64bit_ardm_fchmodat_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod
Record Events that Modify the System's Discretionary Access Controls - fchownxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown mediumCCE-80689-3

Record Events that Modify the System's Discretionary Access Controls - fchown

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_dac_modification_fchown:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80689-3

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, SRG-OS-000458-VMM-001810, SRG-OS-000474-VMM-001940, RHEL-08-030480, 4.1.3.9, SV-230455r810459_rule

Description
At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=unset -F key=perm_mod
Rationale
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit fchown  oval:ssg-test_32bit_ardm_fchown_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

audit augenrules 64-bit fchown  oval:ssg-test_64bit_ardm_fchown_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit fchown  oval:ssg-test_32bit_ardm_fchown_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

audit auditctl 64-bit fchown  oval:ssg-test_64bit_ardm_fchown_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
Record Events that Modify the System's Discretionary Access Controls - fchownatxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat mediumCCE-80690-1

Record Events that Modify the System's Discretionary Access Controls - fchownat

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_dac_modification_fchownat:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80690-1

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, SRG-OS-000458-VMM-001810, SRG-OS-000474-VMM-001940, RHEL-08-030480, 4.1.3.9, SV-230455r810459_rule

Description
At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod
Rationale
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit fchownat  oval:ssg-test_32bit_ardm_fchownat_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

audit augenrules 64-bit fchownat  oval:ssg-test_64bit_ardm_fchownat_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit fchownat  oval:ssg-test_32bit_ardm_fchownat_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

audit auditctl 64-bit fchownat  oval:ssg-test_64bit_ardm_fchownat_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
Record Events that Modify the System's Discretionary Access Controls - fremovexattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr mediumCCE-80691-9

Record Events that Modify the System's Discretionary Access Controls - fremovexattr

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_dac_modification_fremovexattr:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80691-9

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000466-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000064-GPOS-00033, SRG-OS-000458-VMM-001810, SRG-OS-000474-VMM-001940, RHEL-08-030200, 4.1.3.9, SV-230413r810463_rule

Description
At a minimum, the audit system should collect file permission changes for all users and root.

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod


If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -F key=perm_mod


If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -F key=perm_mod
Rationale
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit fremovexattr  oval:ssg-test_32bit_ardm_fremovexattr_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

audit augenrules 32-bit fremovexattr auid=0  oval:ssg-test_32bit_ardm_fremovexattr_augenrules_auid_0:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

audit augenrules 64-bit fremovexattr  oval:ssg-test_64bit_ardm_fremovexattr_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

audit augenrules 64-bit fremovexattr  oval:ssg-test_64bit_ardm_fremovexattr_augenrules_auid_0:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit fremovexattr  oval:ssg-test_32bit_ardm_fremovexattr_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

audit auditctl 32-bit fremovexattr  oval:ssg-test_32bit_ardm_fremovexattr_auditctl_auid_0:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

audit auditctl 64-bit fremovexattr  oval:ssg-test_64bit_ardm_fremovexattr_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

audit auditctl 64-bit fremovexattr  oval:ssg-test_64bit_ardm_fremovexattr_auditctl_auid_0:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod
Record Events that Modify the System's Discretionary Access Controls - fsetxattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr mediumCCE-80692-7

Record Events that Modify the System's Discretionary Access Controls - fsetxattr

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_dac_modification_fsetxattr:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80692-7

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000466-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000064-GPOS-00033, SRG-OS-000458-VMM-001810, SRG-OS-000474-VMM-001940, RHEL-08-030200, 4.1.3.9, SV-230413r810463_rule

Description
At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -F key=perm_mod
Rationale
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit fsetxattr  oval:ssg-test_32bit_ardm_fsetxattr_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

audit augenrules 32-bit fsetxattr auid=0  oval:ssg-test_32bit_ardm_fsetxattr_augenrules_auid_0:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

audit augenrules 64-bit fsetxattr  oval:ssg-test_64bit_ardm_fsetxattr_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

audit augenrules 64-bit fsetxattr  oval:ssg-test_64bit_ardm_fsetxattr_augenrules_auid_0:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit fsetxattr  oval:ssg-test_32bit_ardm_fsetxattr_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

audit auditctl 32-bit fsetxattr  oval:ssg-test_32bit_ardm_fsetxattr_auditctl_auid_0:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

audit auditctl 64-bit fsetxattr  oval:ssg-test_64bit_ardm_fsetxattr_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

audit auditctl 64-bit fsetxattr  oval:ssg-test_64bit_ardm_fsetxattr_auditctl_auid_0:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod
Record Events that Modify the System's Discretionary Access Controls - lchownxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown mediumCCE-80693-5

Record Events that Modify the System's Discretionary Access Controls - lchown

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_dac_modification_lchown:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80693-5

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000466-GPOS-00210, SRG-OS-000458-GPOS-00203, SRG-OS-000474-GPOS-00219, SRG-OS-000458-VMM-001810, SRG-OS-000474-VMM-001940, RHEL-08-030480, 4.1.3.9, SV-230455r810459_rule

Description
At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
Rationale
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit lchown  oval:ssg-test_32bit_ardm_lchown_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

audit augenrules 64-bit lchown  oval:ssg-test_64bit_ardm_lchown_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit lchown  oval:ssg-test_32bit_ardm_lchown_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

audit auditctl 64-bit lchown  oval:ssg-test_64bit_ardm_lchown_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=unset -F key=perm_mod
Record Events that Modify the System's Discretionary Access Controls - lremovexattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr mediumCCE-80694-3

Record Events that Modify the System's Discretionary Access Controls - lremovexattr

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_dac_modification_lremovexattr:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80694-3

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000466-GPOS-00210, SRG-OS-000064-GPOS-00033, SRG-OS-000458-VMM-001810, SRG-OS-000474-VMM-001940, RHEL-08-030200, 4.1.3.9, SV-230413r810463_rule

Description
At a minimum, the audit system should collect file permission changes for all users and root.

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod


If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -F key=perm_mod


If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -F key=perm_mod
Rationale
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit lremovexattr  oval:ssg-test_32bit_ardm_lremovexattr_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

audit augenrules 32-bit lremovexattr auid=0  oval:ssg-test_32bit_ardm_lremovexattr_augenrules_auid_0:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

audit augenrules 64-bit lremovexattr  oval:ssg-test_64bit_ardm_lremovexattr_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

audit augenrules 64-bit lremovexattr  oval:ssg-test_64bit_ardm_lremovexattr_augenrules_auid_0:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit lremovexattr  oval:ssg-test_32bit_ardm_lremovexattr_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

audit auditctl 32-bit lremovexattr  oval:ssg-test_32bit_ardm_lremovexattr_auditctl_auid_0:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

audit auditctl 64-bit lremovexattr  oval:ssg-test_64bit_ardm_lremovexattr_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

audit auditctl 64-bit lremovexattr  oval:ssg-test_64bit_ardm_lremovexattr_auditctl_auid_0:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod
Record Events that Modify the System's Discretionary Access Controls - lsetxattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr mediumCCE-80695-0

Record Events that Modify the System's Discretionary Access Controls - lsetxattr

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_dac_modification_lsetxattr:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80695-0

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000466-GPOS-00210, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000064-GPOS-00033, SRG-OS-000458-VMM-001810, SRG-OS-000474-VMM-001940, RHEL-08-030200, 4.1.3.9, SV-230413r810463_rule

Description
At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -F key=perm_mod
Rationale
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit lsetxattr  oval:ssg-test_32bit_ardm_lsetxattr_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

audit augenrules 32-bit lsetxattr auid=0  oval:ssg-test_32bit_ardm_lsetxattr_augenrules_auid_0:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

audit augenrules 64-bit lsetxattr  oval:ssg-test_64bit_ardm_lsetxattr_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

audit augenrules 64-bit lsetxattr  oval:ssg-test_64bit_ardm_lsetxattr_augenrules_auid_0:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit lsetxattr  oval:ssg-test_32bit_ardm_lsetxattr_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

audit auditctl 32-bit lsetxattr  oval:ssg-test_32bit_ardm_lsetxattr_auditctl_auid_0:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

audit auditctl 64-bit lsetxattr  oval:ssg-test_64bit_ardm_lsetxattr_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

audit auditctl 64-bit lsetxattr  oval:ssg-test_64bit_ardm_lsetxattr_auditctl_auid_0:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod
Record Events that Modify the System's Discretionary Access Controls - removexattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr mediumCCE-80696-8

Record Events that Modify the System's Discretionary Access Controls - removexattr

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_dac_modification_removexattr:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80696-8

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000468-GPOS-00212, SRG-OS-000471-GPOS-00215, SRG-OS-000474-GPOS-00219, SRG-OS-000466-GPOS-00210, SRG-OS-000064-GPOS-00033, SRG-OS-000458-VMM-001810, SRG-OS-000474-VMM-001940, RHEL-08-030200, 4.1.3.9, SV-230413r810463_rule

Description
At a minimum, the audit system should collect file permission changes for all users and root.

If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod


If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S removexattr -F auid=0 -F key=perm_mod


If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S removexattr -F auid=0 -F key=perm_mod
Rationale
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit removexattr  oval:ssg-test_32bit_ardm_removexattr_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

audit augenrules 32-bit removexattr auid=0  oval:ssg-test_32bit_ardm_removexattr_augenrules_auid_0:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

audit augenrules 64-bit removexattr  oval:ssg-test_64bit_ardm_removexattr_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

audit augenrules 64-bit removexattr  oval:ssg-test_64bit_ardm_removexattr_augenrules_auid_0:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit removexattr  oval:ssg-test_32bit_ardm_removexattr_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

audit auditctl 32-bit removexattr  oval:ssg-test_32bit_ardm_removexattr_auditctl_auid_0:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

audit auditctl 64-bit removexattr  oval:ssg-test_64bit_ardm_removexattr_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

audit auditctl 64-bit removexattr  oval:ssg-test_64bit_ardm_removexattr_auditctl_auid_0:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod
Record Events that Modify the System's Discretionary Access Controls - setxattrxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr mediumCCE-80697-6

Record Events that Modify the System's Discretionary Access Controls - setxattr

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_dac_modification_setxattr:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80697-6

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000466-GPOS-00210, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000458-VMM-001810, SRG-OS-000474-VMM-001940, RHEL-08-030200, 4.1.3.9, SV-230413r810463_rule

Description
At a minimum, the audit system should collect file permission changes for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S setxattr -F auid=0 -F key=perm_mod
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b64 -S setxattr -F auid=0 -F key=perm_mod
Rationale
The changing of file permissions could indicate that a user is attempting to gain access to information that would otherwise be disallowed. Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit setxattr  oval:ssg-test_32bit_ardm_setxattr_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

audit augenrules 32-bit setxattr auid=0  oval:ssg-test_32bit_ardm_setxattr_augenrules_auid_0:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

audit augenrules 64-bit setxattr  oval:ssg-test_64bit_ardm_setxattr_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

audit augenrules 64-bit setxattr  oval:ssg-test_64bit_ardm_setxattr_augenrules_auid_0:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit setxattr  oval:ssg-test_32bit_ardm_setxattr_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

audit auditctl 32-bit setxattr  oval:ssg-test_32bit_ardm_setxattr_auditctl_auid_0:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

audit auditctl 64-bit setxattr  oval:ssg-test_64bit_ardm_setxattr_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid>=1000 -F auid!=unset -F key=perm_mod

audit auditctl 64-bit setxattr  oval:ssg-test_64bit_ardm_setxattr_auditctl_auid_0:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S fremovexattr -S fsetxattr -S lremovexattr -S lsetxattr -S removexattr -S setxattr -F auid=0 -F key=perm_mod
Ensure auditd Collects File Deletion Events by User - renamexccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename mediumCCE-80703-2

Ensure auditd Collects File Deletion Events by User - rename

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_file_deletion_events_rename:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80703-2

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-000366, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000466-VMM-001870, SRG-OS-000468-VMM-001890, RHEL-08-030361, 4.1.3.13, SV-230439r810465_rule

Description
At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S rename -F auid>=1000 -F auid!=unset -F key=delete
Rationale
Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit rename  oval:ssg-test_32bit_ardm_rename_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/delete.rules-a always,exit -F arch=b32 -S rename -S renameat -S unlink -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

audit augenrules 64-bit rename  oval:ssg-test_64bit_ardm_rename_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/delete.rules-a always,exit -F arch=b64 -S rename -S renameat -S unlink -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit rename  oval:ssg-test_32bit_ardm_rename_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S rename -S renameat -S unlink -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

audit auditctl 64-bit rename  oval:ssg-test_64bit_ardm_rename_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S rename -S renameat -S unlink -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
Ensure auditd Collects File Deletion Events by User - renameatxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat mediumCCE-80704-0

Ensure auditd Collects File Deletion Events by User - renameat

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_file_deletion_events_renameat:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80704-0

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-000366, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000466-VMM-001870, SRG-OS-000468-VMM-001890, RHEL-08-030361, 4.1.3.13, SV-230439r810465_rule

Description
At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S renameat -F auid>=1000 -F auid!=unset -F key=delete
Rationale
Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit renameat  oval:ssg-test_32bit_ardm_renameat_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/delete.rules-a always,exit -F arch=b32 -S rename -S renameat -S unlink -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

audit augenrules 64-bit renameat  oval:ssg-test_64bit_ardm_renameat_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/delete.rules-a always,exit -F arch=b64 -S rename -S renameat -S unlink -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit renameat  oval:ssg-test_32bit_ardm_renameat_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S rename -S renameat -S unlink -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

audit auditctl 64-bit renameat  oval:ssg-test_64bit_ardm_renameat_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S rename -S renameat -S unlink -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
Ensure auditd Collects File Deletion Events by User - unlinkatxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat mediumCCE-80707-3

Ensure auditd Collects File Deletion Events by User - unlinkat

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_file_deletion_events_unlinkat:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80707-3

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-000366, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.4, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.1.1, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.MA-2, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000466-GPOS-00210, SRG-OS-000467-GPOS-00211, SRG-OS-000468-GPOS-00212, SRG-OS-000466-VMM-001870, SRG-OS-000468-VMM-001890, RHEL-08-030361, 4.1.3.13, SV-230439r810465_rule

Description
At a minimum, the audit system should collect file deletion events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
Rationale
Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting malicious processes that attempt to delete log files to conceal their presence.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit unlinkat  oval:ssg-test_32bit_ardm_unlinkat_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/delete.rules-a always,exit -F arch=b32 -S rename -S renameat -S unlink -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

audit augenrules 64-bit unlinkat  oval:ssg-test_64bit_ardm_unlinkat_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/delete.rules-a always,exit -F arch=b64 -S rename -S renameat -S unlink -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit unlinkat  oval:ssg-test_32bit_ardm_unlinkat_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S rename -S renameat -S unlink -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

audit auditctl 64-bit unlinkat  oval:ssg-test_64bit_ardm_unlinkat_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S rename -S renameat -S unlink -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
Record Unsuccessful Access Attempts to Files - creatxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat mediumCCE-80751-1

Record Unsuccessful Access Attempts to Files - creat

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_unsuccessful_file_modification_creat:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80751-1

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000458-VMM-001810, SRG-OS-000461-VMM-001830, RHEL-08-030420, 4.1.3.7, SV-230449r810455_rule

Description
At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Rationale
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_creat_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b32 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit augenrules 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_creat_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b32 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

audit augenrules 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_creat_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b64 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit augenrules 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_creat_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b64 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_creat_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit auditctl 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_creat_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

audit auditctl 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_creat_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit auditctl 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_creat_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Record Unsuccessful Access Attempts to Files - ftruncatexccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_ftruncate mediumCCE-80752-9

Record Unsuccessful Access Attempts to Files - ftruncate

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_ftruncate
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_unsuccessful_file_modification_ftruncate:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80752-9

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000458-VMM-001810, SRG-OS-000461-VMM-001830, RHEL-08-030420, 4.1.3.7, SV-230449r810455_rule

Description
At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Rationale
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_ftruncate_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b32 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit augenrules 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_ftruncate_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b32 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

audit augenrules 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_ftruncate_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b64 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit augenrules 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_ftruncate_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b64 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_ftruncate_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit auditctl 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_ftruncate_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

audit auditctl 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_ftruncate_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit auditctl 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_ftruncate_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Record Unsuccessful Access Attempts to Files - openxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open mediumCCE-80753-7

Record Unsuccessful Access Attempts to Files - open

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_unsuccessful_file_modification_open:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80753-7

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000458-VMM-001810, SRG-OS-000461-VMM-001830, RHEL-08-030420, 4.1.3.7, SV-230449r810455_rule

Description
At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Rationale
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_open_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b32 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit augenrules 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_open_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b32 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

audit augenrules 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_open_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b64 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit augenrules 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_open_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b64 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_open_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit auditctl 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_open_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

audit auditctl 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_open_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit auditctl 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_open_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Record Unsuccessful Access Attempts to Files - openatxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat mediumCCE-80754-5

Record Unsuccessful Access Attempts to Files - openat

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_unsuccessful_file_modification_openat:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80754-5

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000458-VMM-001810, SRG-OS-000461-VMM-001830, RHEL-08-030420, 4.1.3.7, SV-230449r810455_rule

Description
At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Rationale
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_openat_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b32 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit augenrules 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_openat_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b32 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

audit augenrules 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_openat_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b64 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit augenrules 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_openat_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b64 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_openat_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit auditctl 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_openat_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

audit auditctl 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_openat_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit auditctl 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_openat_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Record Unsuccessful Access Attempts to Files - truncatexccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_truncate mediumCCE-80756-0

Record Unsuccessful Access Attempts to Files - truncate

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_truncate
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_unsuccessful_file_modification_truncate:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80756-0

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.4, Req-10.2.1, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000064-GPOS-00033, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000458-VMM-001810, SRG-OS-000461-VMM-001830, RHEL-08-030420, 4.1.3.7, SV-230449r810455_rule

Description
At a minimum, the audit system should collect unauthorized file accesses for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
If the system is 64 bit then also add the following lines:
-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Rationale
Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise.
Warnings
warning  Note that these rules can be configured in a number of ways while still achieving the desired effect. Here the system calls have been placed independent of other system calls. Grouping these system calls with others as identifying earlier in this guide is more efficient.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_truncate_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b32 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit augenrules 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_truncate_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b32 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

audit augenrules 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_truncate_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b64 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit augenrules 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_truncate_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/access.rules-a always,exit -F arch=b64 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit file eacces  oval:ssg-test_32bit_arufm_eacces_truncate_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit auditctl 32-bit file eperm  oval:ssg-test_32bit_arufm_eperm_truncate_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

audit auditctl 64-bit file eacces  oval:ssg-test_64bit_arufm_eacces_truncate_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access

audit auditctl 64-bit file eperm  oval:ssg-test_64bit_arufm_eperm_truncate_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S creat -S ftruncate -S open -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
Ensure auditd Collects Information on Kernel Module Unloading - delete_modulexccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete mediumCCE-80711-5

Ensure auditd Collects Information on Kernel Module Unloading - delete_module

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_kernel_module_loading_delete:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80711-5

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222, SRG-OS-000477-VMM-001970, RHEL-08-030390, 4.1.3.19, SV-230446r627750_rule

Description
To capture kernel module unloading events, use following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S delete_module -F auid>=1000 -F auid!=unset -F key=modules
Place to add the line depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the line to file /etc/audit/audit.rules.
Rationale
The removal of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit delete_module  oval:ssg-test_32bit_ardm_delete_module_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/module-change.rules-a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=unset -F key=module-change

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

audit augenrules 64-bit delete_module  oval:ssg-test_64bit_ardm_delete_module_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/module-change.rules-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=unset -F key=module-change

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit delete_module  oval:ssg-test_32bit_ardm_delete_module_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules -a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=unset -F key=module-change

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

audit auditctl 64-bit delete_module  oval:ssg-test_64bit_ardm_delete_module_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=unset -F key=module-change
Ensure auditd Collects Information on Kernel Module Loading - init_modulexccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init mediumCCE-80713-1

Ensure auditd Collects Information on Kernel Module Loading - init_module

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_kernel_module_loading_init:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80713-1

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000477-GPOS-00222, SRG-OS-000477-VMM-001970, RHEL-08-030360, 4.1.3.19, SV-230438r810464_rule

Description
To capture kernel module loading events, use following line, setting ARCH to either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-a always,exit -F arch=ARCH -S init_module -F auid>=1000 -F auid!=unset -F key=modules
Place to add the line depends on a way auditd daemon is configured. If it is configured to use the augenrules program (the default), add the line to a file with suffix .rules in the directory /etc/audit/rules.d. If the auditd daemon is configured to use the auditctl utility, add the line to file /etc/audit/audit.rules.
Rationale
The addition of kernel modules can be used to alter the behavior of the kernel and potentially introduce malicious code into kernel space. It is important to have an audit trail of modules that have been introduced into the kernel.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit init_module  oval:ssg-test_32bit_ardm_init_module_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/module-change.rules-a always,exit -F arch=b32 -S init_module -F auid>=1000 -F auid!=unset -F key=module-change

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

audit augenrules 64-bit init_module  oval:ssg-test_64bit_ardm_init_module_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/module-change.rules-a always,exit -F arch=b64 -S init_module -F auid>=1000 -F auid!=unset -F key=module-change

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit init_module  oval:ssg-test_32bit_ardm_init_module_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S init_module -F auid>=1000 -F auid!=unset -F key=module-change

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

audit auditctl 64-bit init_module  oval:ssg-test_64bit_ardm_init_module_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S init_module -F auid>=1000 -F auid!=unset -F key=module-change
Record attempts to alter time through adjtimexxccdf_org.ssgproject.content_rule_audit_rules_time_adjtimex mediumCCE-80745-3

Record attempts to alter time through adjtimex

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_time_adjtimex
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_time_adjtimex:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80745-3

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-001487, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.4.2.b, 4.1.3.4

Description
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rules
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rules
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules
The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls:
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules
Rationale
Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit adjtimex  oval:ssg-test_32bit_art_adjtimex_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/audit_time_rules.rules-a always,exit -F arch=b32 -S adjtimex -S stime -F key=audit_time_rules

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

audit augenrules 64-bit adjtimex  oval:ssg-test_64bit_art_adjtimex_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/audit_time_rules.rules-a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit adjtimex  oval:ssg-test_32bit_art_adjtimex_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S adjtimex -S stime -F key=audit_time_rules

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

audit auditctl 64-bit adjtimex  oval:ssg-test_64bit_art_adjtimex_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules
Record Attempts to Alter Time Through clock_settimexccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime mediumCCE-80746-1

Record Attempts to Alter Time Through clock_settime

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_time_clock_settime:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80746-1

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-001487, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.4.2.b, 4.1.3.4

Description
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
If the system is 64 bit then also add the following line:
-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined syscalls:
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules
Rationale
Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit clock_settime  oval:ssg-test_32bit_art_clock_settime_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/time-change.rules-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

audit augenrules 64-bit clock_settime  oval:ssg-test_64bit_art_clock_settime_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/time-change.rules-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit clock_settime  oval:ssg-test_32bit_art_clock_settime_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

audit auditctl 64-bit clock_settime  oval:ssg-test_64bit_art_clock_settime_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
Record Attempts to Alter Time Through stimexccdf_org.ssgproject.content_rule_audit_rules_time_stime mediumCCE-80748-7

Record Attempts to Alter Time Through stime

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_time_stime
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_time_stime:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80748-7

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-001487, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.4.2.b, 4.1.3.4

Description
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d for both 32 bit and 64 bit systems:
-a always,exit -F arch=b32 -S stime -F key=audit_time_rules
Since the 64 bit version of the "stime" system call is not defined in the audit lookup table, the corresponding "-F arch=b64" form of this rule is not expected to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule form itself is sufficient for both 32 bit and 64 bit systems). If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file for both 32 bit and 64 bit systems:
-a always,exit -F arch=b32 -S stime -F key=audit_time_rules
Since the 64 bit version of the "stime" system call is not defined in the audit lookup table, the corresponding "-F arch=b64" form of this rule is not expected to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule form itself is sufficient for both 32 bit and 64 bit systems). The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport. Multiple system calls can be defined on the same line to save space if desired, but is not required. See an example of multiple combined system calls:
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules
Rationale
Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.
OVAL test results details

32 bit architecture  oval:ssg-test_system_info_architecture_x86:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit stime  oval:ssg-test_32bit_art_stime_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/audit_time_rules.rules-a always,exit -F arch=b32 -S adjtimex -S stime -F key=audit_time_rules

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit stime  oval:ssg-test_32bit_art_stime_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S adjtimex -S stime -F key=audit_time_rules
Record Attempts to Alter the localtime Filexccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime mediumCCE-80749-5

Record Attempts to Alter the localtime File

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_time_watch_localtime:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80749-5

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-001487, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.4.2.b, 4.1.3.4

Description
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-w /etc/localtime -p wa -k audit_time_rules
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-w /etc/localtime -p wa -k audit_time_rules
The -k option allows for the specification of a key in string form that can be used for better reporting capability through ausearch and aureport and should always be used.
Rationale
Arbitrary changes to the system time can be used to obfuscate nefarious activities in log files, as well as to confuse network services that are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit /etc/localtime watch augenrules  oval:ssg-test_artw_etc_localtime_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/audit_time_rules.rules-w /etc/localtime -p wa -k audit_time_rules

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit /etc/localtime watch auditctl  oval:ssg-test_artw_etc_localtime_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-w /etc/localtime -p wa -k audit_time_rules
Make the auditd Configuration Immutablexccdf_org.ssgproject.content_rule_audit_rules_immutable mediumCCE-80708-1

Make the auditd Configuration Immutable

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_immutable
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_immutable:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80708-1

References:  1, 11, 12, 13, 14, 15, 16, 18, 19, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO01.06, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, DSS06.02, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.4.3, CCI-000162, CCI-000163, CCI-000164, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.310(a)(2)(iv), 164.312(d), 164.310(d)(2)(iii), 164.312(b), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.7.3, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 5.2, SR 6.1, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, ID.SC-4, PR.AC-4, PR.DS-5, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.5.2, SRG-OS-000057-GPOS-00027, SRG-OS-000058-GPOS-00028, SRG-OS-000059-GPOS-00029, RHEL-08-030121, 4.1.3.20, SV-230402r627750_rule

Description
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d in order to make the auditd configuration immutable:
-e 2
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file in order to make the auditd configuration immutable:
-e 2
With this setting, a reboot will be required to change any audit rules.
Rationale
Making the audit configuration immutable prevents accidental as well as malicious modification of the audit rules, although it may be problematic if legitimate changes are needed during system operation.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules configuration locked  oval:ssg-test_ari_locked_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/immutable.rules-e 2

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl configuration locked  oval:ssg-test_ari_locked_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-e 2
Record Events that Modify the System's Mandatory Access Controlsxccdf_org.ssgproject.content_rule_audit_rules_mac_modification mediumCCE-80721-4

Record Events that Modify the System's Mandatory Access Controls

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_mac_modification
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_mac_modification:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80721-4

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.8, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.5.5, 4.1.3.14

Description
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-w /etc/selinux/ -p wa -k MAC-policy
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-w /etc/selinux/ -p wa -k MAC-policy
Rationale
The system's mandatory access policy (SELinux) should not be arbitrarily changed by anything other than administrator action. All changes to MAC policy should be audited.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit selinux changes augenrules  oval:ssg-test_armm_selinux_watch_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/MAC-policy.rules-w /etc/selinux/ -p wa -k MAC-policy

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit selinux changes auditctl  oval:ssg-test_armm_selinux_watch_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-w /etc/selinux/ -p wa -k MAC-policy
Ensure auditd Collects Information on Exporting to Media (successful)xccdf_org.ssgproject.content_rule_audit_rules_media_export mediumCCE-80722-2

Ensure auditd Collects Information on Exporting to Media (successful)

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_media_export
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_media_export:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80722-2

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.2.7, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, RHEL-08-030302, 4.1.3.10, SV-230425r627750_rule

Description
At a minimum, the audit system should collect media exportation events for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S mount -F auid>=1000 -F auid!=unset -F key=export
Rationale
The unauthorized exportation of data to external media could result in an information leak where classified information, Privacy Act information, and intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit mount  oval:ssg-test_32bit_ardm_mount_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

audit augenrules 64-bit mount  oval:ssg-test_64bit_ardm_mount_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/perm_mod.rules-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -F key=perm_mod

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit mount  oval:ssg-test_32bit_ardm_mount_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -F key=perm_mod

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

audit auditctl 64-bit mount  oval:ssg-test_64bit_ardm_mount_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -F key=perm_mod
Record Events that Modify the System's Network Environmentxccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification mediumCCE-80723-0

Record Events that Modify the System's Network Environment

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_networkconfig_modification:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80723-0

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, Req-10.5.5, 4.1.3.5

Description
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification
-w /etc/issue -p wa -k audit_rules_networkconfig_modification
-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
-w /etc/hosts -p wa -k audit_rules_networkconfig_modification
-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, setting ARCH to either b32 or b64 as appropriate for your system:
-a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification
-w /etc/issue -p wa -k audit_rules_networkconfig_modification
-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
-w /etc/hosts -p wa -k audit_rules_networkconfig_modification
-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification
Rationale
The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit /etc/issue augenrules  oval:ssg-test_arnm_etc_issue_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/audit_rules_networkconfig_modification.rules-w /etc/issue -p wa -k audit_rules_networkconfig_modification

audit /etc/issue.net augenrules  oval:ssg-test_arnm_etc_issue_net_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/audit_rules_networkconfig_modification.rules-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification

audit /etc/hosts augenrules  oval:ssg-test_arnm_etc_hosts_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/audit_rules_networkconfig_modification.rules-w /etc/hosts -p wa -k audit_rules_networkconfig_modification

audit /etc/sysconfig/network augenrules  oval:ssg-test_arnm_etc_sysconfig_network_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/audit_rules_networkconfig_modification.rules-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit sethostname  oval:ssg-test_32bit_ardm_sethostname_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/audit_rules_networkconfig_modification.rules-a always,exit -F arch=b32 -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

audit augenrules 64-bit sethostname  oval:ssg-test_64bit_ardm_sethostname_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/audit_rules_networkconfig_modification.rules-a always,exit -F arch=b64 -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit sethostname  oval:ssg-test_32bit_ardm_sethostname_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

audit auditctl 64-bit sethostname  oval:ssg-test_64bit_ardm_sethostname_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit setdomainname  oval:ssg-test_32bit_ardm_setdomainname_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/audit_rules_networkconfig_modification.rules-a always,exit -F arch=b32 -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

audit augenrules 64-bit setdomainname  oval:ssg-test_64bit_ardm_setdomainname_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/audit_rules_networkconfig_modification.rules-a always,exit -F arch=b64 -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit setdomainname  oval:ssg-test_32bit_ardm_setdomainname_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

audit auditctl 64-bit setdomainname  oval:ssg-test_64bit_ardm_setdomainname_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit /etc/issue auditctl  oval:ssg-test_arnm_etc_issue_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-w /etc/issue -p wa -k audit_rules_networkconfig_modification

audit /etc/issue.net auditctl  oval:ssg-test_arnm_etc_issue_net_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification

audit /etc/hosts auditctl  oval:ssg-test_arnm_etc_hosts_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-w /etc/hosts -p wa -k audit_rules_networkconfig_modification

audit /etc/sysconfig/network auditctl  oval:ssg-test_arnm_etc_sysconfig_network_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit sethostname  oval:ssg-test_32bit_ardm_sethostname_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/audit_rules_networkconfig_modification.rules-a always,exit -F arch=b32 -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

audit augenrules 64-bit sethostname  oval:ssg-test_64bit_ardm_sethostname_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/audit_rules_networkconfig_modification.rules-a always,exit -F arch=b64 -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit sethostname  oval:ssg-test_32bit_ardm_sethostname_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

audit auditctl 64-bit sethostname  oval:ssg-test_64bit_ardm_sethostname_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules 32-bit setdomainname  oval:ssg-test_32bit_ardm_setdomainname_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/audit_rules_networkconfig_modification.rules-a always,exit -F arch=b32 -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

audit augenrules 64-bit setdomainname  oval:ssg-test_64bit_ardm_setdomainname_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/audit_rules_networkconfig_modification.rules-a always,exit -F arch=b64 -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl 32-bit setdomainname  oval:ssg-test_32bit_ardm_setdomainname_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b32 -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification

64 bit architecture  oval:ssg-test_system_info_architecture_x86_64:tst:1  true

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppc_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_ppcle_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_aarch_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

64 bit architecture  oval:ssg-test_system_info_architecture_s390_64:tst:1  false

Following items have been found on the system:
Machine classNode nameOs nameOs releaseOs versionProcessor type
x86_64ciclvl2-rhel84Linux4.18.0-305.40.1.el8_4.x86_64#1 SMP Tue Feb 22 07:56:15 EST 2022x86_64

audit auditctl 64-bit setdomainname  oval:ssg-test_64bit_ardm_setdomainname_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-a always,exit -F arch=b64 -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification
Record Attempts to Alter Process and Session Initiation Informationxccdf_org.ssgproject.content_rule_audit_rules_session_events mediumCCE-80742-0

Record Attempts to Alter Process and Session Initiation Information

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_session_events
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_session_events:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80742-0

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, 0582, 0584, 05885, 0586, 0846, 0957, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AU-2(d), AU-12(c), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.3, 4.1.3.11

Description
The audit system already collects process information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing such process information:
-w /var/run/utmp -p wa -k session
-w /var/log/btmp -p wa -k session
-w /var/log/wtmp -p wa -k session
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for attempted manual edits of files involved in storing such process information:
-w /var/run/utmp -p wa -k session
-w /var/log/btmp -p wa -k session
-w /var/log/wtmp -p wa -k session
Rationale
Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules utmp  oval:ssg-test_arse_utmp_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/session.rules-w /var/run/utmp -p wa -k session

audit augenrules btmp  oval:ssg-test_arse_btmp_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/session.rules-w /var/log/btmp -p wa -k session

audit augenrules wtmp  oval:ssg-test_arse_wtmp_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/session.rules-w /var/log/wtmp -p wa -k session

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl utmp  oval:ssg-test_arse_utmp_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-w /var/run/utmp -p wa -k session

audit auditctl btmp  oval:ssg-test_arse_btmp_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-w /var/log/btmp -p wa -k session

audit auditctl wtmp  oval:ssg-test_arse_wtmp_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-w /var/log/wtmp -p wa -k session
Ensure auditd Collects System Administrator Actionsxccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions mediumCCE-80743-8

Ensure auditd Collects System Administrator Actions

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_sysadmin_actions:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80743-8

References:  1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000126, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, AC-2(7)(b), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.2, Req-10.2.5.b, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, SRG-OS-000462-VMM-001840, SRG-OS-000471-VMM-001910, 4.1.3.1

Description
At a minimum, the audit system should collect administrator actions for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following line to a file with suffix .rules in the directory /etc/audit/rules.d:
-w /etc/sudoers -p wa -k actions
-w /etc/sudoers.d/ -p wa -k actions
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following line to /etc/audit/audit.rules file:
-w /etc/sudoers -p wa -k actions
-w /etc/sudoers.d/ -p wa -k actions
Rationale
The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules sudoers  oval:ssg-test_audit_rules_sysadmin_actions_sudoers_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/actions.rules-w /etc/sudoers -p wa -k actions

audit augenrules sudoers  oval:ssg-test_audit_rules_sysadmin_actions_sudoers_d_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/actions.rules-w /etc/sudoers.d/ -p wa -k actions

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit auditctl sudoers  oval:ssg-test_audit_rules_sysadmin_actions_sudoers_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-w /etc/sudoers -p wa -k actions

audit auditctl sudoers  oval:ssg-test_audit_rules_sysadmin_actions_sudoers_d_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-w /etc/sudoers.d/ -p wa -k actions
Record Events that Modify User/Group Information - /etc/groupxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group mediumCCE-80758-6

Record Events that Modify User/Group Information - /etc/group

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_usergroup_modification_group:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80758-6

References:  1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000018, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-001403, CCI-001404, CCI-001405, CCI-001683, CCI-001684, CCI-001685, CCI-001686, CCI-002130, CCI-002132, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.5, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, SRG-OS-000004-VMM-000040, SRG-OS-000239-VMM-000810, SRG-OS-000240-VMM-000820, SRG-OS-000241-VMM-000830, SRG-OS-000274-VMM-000960, SRG-OS-000275-VMM-000970, SRG-OS-000276-VMM-000980, SRG-OS-000277-VMM-000990, SRG-OS-000303-VMM-001090, SRG-OS-000304-VMM-001100, SRG-OS-000476-VMM-001960, RHEL-08-030170, 4.1.3.8, SV-230408r627750_rule

Description
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes:

-w /etc/group -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-w /etc/group -p wa -k audit_rules_usergroup_modification
Rationale
In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules group  oval:ssg-test_audit_rules_usergroup_modification_group_augen:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/audit_rules_usergroup_modification.rules-w /etc/group -p wa -k audit_rules_usergroup_modification

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit group  oval:ssg-test_audit_rules_usergroup_modification_group_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-w /etc/group -p wa -k audit_rules_usergroup_modification
Record Events that Modify User/Group Information - /etc/gshadowxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow mediumCCE-80759-4

Record Events that Modify User/Group Information - /etc/gshadow

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_usergroup_modification_gshadow:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80759-4

References:  1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000018, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-001403, CCI-001404, CCI-001405, CCI-001683, CCI-001684, CCI-001685, CCI-001686, CCI-002130, CCI-002132, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.5, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, SRG-OS-000004-VMM-000040, SRG-OS-000239-VMM-000810, SRG-OS-000240-VMM-000820, SRG-OS-000241-VMM-000830, SRG-OS-000274-VMM-000960, SRG-OS-000275-VMM-000970, SRG-OS-000276-VMM-000980, SRG-OS-000277-VMM-000990, SRG-OS-000303-VMM-001090, SRG-OS-000304-VMM-001100, SRG-OS-000476-VMM-001960, RHEL-08-030160, 4.1.3.8, SV-230407r627750_rule

Description
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes:

-w /etc/gshadow -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
Rationale
In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules gshadow  oval:ssg-test_audit_rules_usergroup_modification_gshadow_augen:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/audit_rules_usergroup_modification.rules-w /etc/gshadow -p wa -k audit_rules_usergroup_modification

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit gshadow  oval:ssg-test_audit_rules_usergroup_modification_gshadow_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
Record Events that Modify User/Group Information - /etc/security/opasswdxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd mediumCCE-80760-2

Record Events that Modify User/Group Information - /etc/security/opasswd

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_usergroup_modification_opasswd:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80760-2

References:  1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000018, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-001403, CCI-001404, CCI-001405, CCI-001683, CCI-001684, CCI-001685, CCI-001686, CCI-002130, CCI-002132, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.5, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, SRG-OS-000004-VMM-000040, SRG-OS-000239-VMM-000810, SRG-OS-000240-VMM-000820, SRG-OS-000241-VMM-000830, SRG-OS-000274-VMM-000960, SRG-OS-000275-VMM-000970, SRG-OS-000276-VMM-000980, SRG-OS-000277-VMM-000990, SRG-OS-000303-VMM-001090, SRG-OS-000304-VMM-001100, SRG-OS-000476-VMM-001960, RHEL-08-030140, 4.1.3.8, SV-230405r627750_rule

Description
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes:

-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
Rationale
In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules opasswd  oval:ssg-test_audit_rules_usergroup_modification_opasswd_augen:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/audit_rules_usergroup_modification.rules-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit opasswd  oval:ssg-test_audit_rules_usergroup_modification_opasswd_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
Record Events that Modify User/Group Information - /etc/passwdxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd mediumCCE-80761-0

Record Events that Modify User/Group Information - /etc/passwd

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_usergroup_modification_passwd:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80761-0

References:  1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000018, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-001403, CCI-001404, CCI-001405, CCI-001683, CCI-001684, CCI-001685, CCI-001686, CCI-002130, CCI-002132, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.5, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000304-GPOS-00121, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, SRG-OS-000274-GPOS-00104, SRG-OS-000275-GPOS-00105, SRG-OS-000276-GPOS-00106, SRG-OS-000277-GPOS-00107, SRG-OS-000004-VMM-000040, SRG-OS-000239-VMM-000810, SRG-OS-000240-VMM-000820, SRG-OS-000241-VMM-000830, SRG-OS-000274-VMM-000960, SRG-OS-000275-VMM-000970, SRG-OS-000276-VMM-000980, SRG-OS-000277-VMM-000990, SRG-OS-000303-VMM-001090, SRG-OS-000304-VMM-001100, SRG-OS-000476-VMM-001960, RHEL-08-030150, 4.1.3.8, SV-230406r627750_rule

Description
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes:

-w /etc/passwd -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-w /etc/passwd -p wa -k audit_rules_usergroup_modification
Rationale
In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules passwd  oval:ssg-test_audit_rules_usergroup_modification_passwd_augen:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/audit_rules_usergroup_modification.rules-w /etc/passwd -p wa -k audit_rules_usergroup_modification

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit passwd  oval:ssg-test_audit_rules_usergroup_modification_passwd_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-w /etc/passwd -p wa -k audit_rules_usergroup_modification
Record Events that Modify User/Group Information - /etc/shadowxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow mediumCCE-80762-8

Record Events that Modify User/Group Information - /etc/shadow

Rule IDxccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-audit_rules_usergroup_modification_shadow:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80762-8

References:  1, 11, 12, 13, 14, 15, 16, 18, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS06.03, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.1.7, CCI-000018, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-001403, CCI-001404, CCI-001405, CCI-001683, CCI-001684, CCI-001685, CCI-001686, CCI-002130, CCI-002132, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(3)(ii)(A), 164.308(a)(5)(ii)(C), 164.312(a)(2)(i), 164.312(b), 164.312(d), 164.312(e), 4.2.3.10, 4.3.2.6.7, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.8, 4.3.3.6.6, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.1, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.1.2, A.6.2.1, A.6.2.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.2, CIP-004-6 R2.2.3, CIP-007-3 R.1.3, CIP-007-3 R5, CIP-007-3 R5.1.1, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, AC-2(4), AU-2(d), AU-12(c), AC-6(9), CM-6(a), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1.1.c, Req-10.2.5, SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, SRG-OS-000004-VMM-000040, SRG-OS-000239-VMM-000810, SRG-OS-000240-VMM-000820, SRG-OS-000241-VMM-000830, SRG-OS-000274-VMM-000960, SRG-OS-000275-VMM-000970, SRG-OS-000276-VMM-000980, SRG-OS-000277-VMM-000990, SRG-OS-000303-VMM-001090, SRG-OS-000304-VMM-001100, SRG-OS-000476-VMM-001960, RHEL-08-030130, 4.1.3.8, SV-230404r627750_rule

Description
If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d, in order to capture events that modify account changes:

-w /etc/shadow -p wa -k audit_rules_usergroup_modification


If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file, in order to capture events that modify account changes:

-w /etc/shadow -p wa -k audit_rules_usergroup_modification
Rationale
In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
OVAL test results details

audit augenrules  oval:ssg-test_audit_rules_augenrules:tst:1  true

Following items have been found on the system:
PathContent
/usr/lib/systemd/system/auditd.serviceExecStartPost=-/sbin/augenrules --load

audit augenrules shadow  oval:ssg-test_audit_rules_usergroup_modification_shadow_augen:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/rules.d/audit_rules_usergroup_modification.rules-w /etc/shadow -p wa -k audit_rules_usergroup_modification

audit auditctl  oval:ssg-test_audit_rules_auditctl:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_audit_rules_auditctl:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/usr/lib/systemd/system/auditd.service^ExecStartPost=\-\/sbin\/auditctl.*$1

audit shadow  oval:ssg-test_audit_rules_usergroup_modification_shadow_auditctl:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/audit.rules-w /etc/shadow -p wa -k audit_rules_usergroup_modification
Configure auditd mail_acct Action on Low Disk Spacexccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct mediumCCE-80678-6

Configure auditd mail_acct Action on Low Disk Space

Rule IDxccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-auditd_data_retention_action_mail_acct:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80678-6

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, 3.3.1, CCI-000139, CCI-001855, 164.312(a)(2)(ii), 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, CIP-003-8 R1.3, CIP-003-8 R3, CIP-003-8 R3.1, CIP-003-8 R3.2, CIP-003-8 R3.3, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, IA-5(1), AU-5(a), AU-5(2), CM-6(a), DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.7.a, SRG-OS-000046-GPOS-00022, SRG-OS-000343-GPOS-00134, SRG-OS-000046-VMM-000210, SRG-OS-000343-VMM-001240, RHEL-08-030020, 4.1.2.3, SV-230388r627750_rule

Description
The auditd service can be configured to send email to a designated account in certain situations. Add or correct the following line in /etc/audit/auditd.conf to ensure that administrators are notified via email for those situations:
action_mail_acct = root
Rationale
Email sent to the root account is typically aliased to the administrators of the system, who can take appropriate action.
OVAL test results details

email account for actions  oval:ssg-test_auditd_data_retention_action_mail_acct:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/auditd.confaction_mail_acct = root
Configure auditd admin_space_left Action on Low Disk Spacexccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action mediumCCE-80679-4

Configure auditd admin_space_left Action on Low Disk Space

Rule IDxccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-auditd_data_retention_admin_space_left_action:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80679-4

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, 3.3.1, CCI-000140, CCI-001343, CCI-001855, 164.312(a)(2)(ii), 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, AU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a), DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.7, SRG-OS-000343-GPOS-00134, 4.1.2.3

Description
The auditd service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting ACTION appropriately:
admin_space_left_action = ACTION
Set this value to single to cause the system to switch to single user mode for corrective action. Acceptable values also include suspend and halt. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. Details regarding all possible values for ACTION are described in the auditd.conf man page.
Rationale
Administrators should be made aware of an inability to record audit records. If a separate partition or logical volume of adequate size is used, running low on space for audit records should never occur.
OVAL test results details

space left action  oval:ssg-test_auditd_data_retention_admin_space_left_action:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/auditd.confadmin_space_left_action = halt
Configure auditd Max Log File Sizexccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file mediumCCE-80681-0

Configure auditd Max Log File Size

Rule IDxccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-auditd_data_retention_max_log_file:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80681-0

References:  1, 11, 12, 13, 14, 15, 16, 19, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO11.04, APO12.06, BAI03.05, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, CIP-004-6 R2.2.3, CIP-004-6 R3.3, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, CIP-007-3 R6.5, AU-11, CM-6(a), DE.AE-3, DE.AE-5, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.7, 4.1.2.1

Description
Determine the amount of audit data (in megabytes) which should be retained in each log file. Edit the file /etc/audit/auditd.conf. Add or modify the following line, substituting the correct value of 6 for STOREMB:
max_log_file = STOREMB
Set the value to 6 (MB) or higher for general-purpose systems. Larger values, of course, support retention of even more audit data.
Rationale
The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained.
OVAL test results details

max log file size  oval:ssg-test_auditd_data_retention_max_log_file:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/auditd.confmax_log_file = 6
Configure auditd max_log_file_action Upon Reaching Maximum Log Sizexccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action mediumCCE-80682-8

Configure auditd max_log_file_action Upon Reaching Maximum Log Size

Rule IDxccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-auditd_data_retention_max_log_file_action:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80682-8

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, CCI-000140, 164.312(a)(2)(ii), 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, AU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a), DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.7, SRG-OS-000047-GPOS-00023, 4.1.2.2

Description
The default action to take when the logs reach their maximum size is to rotate the log files, discarding the oldest one. To configure the action taken by auditd, add or correct the line in /etc/audit/auditd.conf:
max_log_file_action = ACTION
Possible values for ACTION are described in the auditd.conf man page. These include:
  • ignore
  • syslog
  • suspend
  • rotate
  • keep_logs
Set the ACTION to rotate to ensure log rotation occurs. This is the default. The setting is case-insensitive.
Rationale
Automatically rotating logs (by setting this to rotate) minimizes the chances of the system unexpectedly running out of disk space by being overwhelmed with log data. However, for systems that must never discard log data, or which use external processes to transfer it and reclaim space, keep_logs can be employed.
OVAL test results details

admin space left action   oval:ssg-test_auditd_data_retention_max_log_file_action:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/auditd.confmax_log_file_action = keep_logs
Configure auditd space_left Action on Low Disk Spacexccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action mediumCCE-80684-4

Configure auditd space_left Action on Low Disk Space

Rule IDxccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-auditd_data_retention_space_left_action:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80684-4

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO11.04, APO12.06, APO13.01, BAI03.05, BAI04.04, BAI08.02, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.04, DSS05.07, MEA02.01, 3.3.1, CCI-001855, 164.312(a)(2)(ii), 4.2.3.10, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.16.1.4, A.16.1.5, A.16.1.7, A.17.2.1, AU-5(b), AU-5(2), AU-5(1), AU-5(4), CM-6(a), DE.AE-3, DE.AE-5, PR.DS-4, PR.PT-1, RS.AN-1, RS.AN-4, Req-10.7, SRG-OS-000343-GPOS-00134, SRG-OS-000343-VMM-001240, RHEL-08-030731, 4.1.2.3, SV-244543r743878_rule

Description
The auditd service can be configured to take an action when disk space starts to run low. Edit the file /etc/audit/auditd.conf. Modify the following line, substituting ACTION appropriately:
space_left_action = ACTION
Possible values for ACTION are described in the auditd.conf man page. These include:
  • syslog
  • email
  • exec
  • suspend
  • single
  • halt
Set this to email (instead of the default, which is suspend) as it is more likely to get prompt attention. Acceptable values also include suspend, single, and halt.
Rationale
Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption.
OVAL test results details

space left action  oval:ssg-test_auditd_data_retention_space_left_action:tst:1  true

Following items have been found on the system:
PathContent
/etc/audit/auditd.confspace_left_action = email
Ensure the audit Subsystem is Installedxccdf_org.ssgproject.content_rule_package_audit_installed mediumCCE-81043-2

Ensure the audit Subsystem is Installed

Rule IDxccdf_org.ssgproject.content_rule_package_audit_installed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_audit_installed:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-81043-2

References:  BP28(R50), CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-002884, CCI-000169, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-7(a), AU-7(1), AU-7(2), AU-14, AU-12(2), AU-2(a), CM-6(a), FAU_GEN.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, RHEL-08-030180, 4.1.1.1, SV-230411r744000_rule

Description
The audit package should be installed.
Rationale
The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy.
OVAL test results details

package audit is installed  oval:ssg-test_package_audit_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
auditx86_64(none)0.17.20191104git1c2f876.el83.00:3.0-0.17.20191104git1c2f876.el8199e2f91fd431d51audit-0:3.0-0.17.20191104git1c2f876.el8.x86_64
Enable auditd Servicexccdf_org.ssgproject.content_rule_service_auditd_enabled mediumCCE-80872-5

Enable auditd Service

Rule IDxccdf_org.ssgproject.content_rule_service_auditd_enabled
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-service_auditd_enabled:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80872-5

References:  1, 11, 12, 13, 14, 15, 16, 19, 2, 3, 4, 5, 6, 7, 8, 9, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.03, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, 3.3.2, 3.3.6, CCI-000126, CCI-000130, CCI-000131, CCI-000132, CCI-000133, CCI-000134, CCI-000135, CCI-000154, CCI-000158, CCI-000172, CCI-000366, CCI-001464, CCI-001487, CCI-001814, CCI-001875, CCI-001876, CCI-001877, CCI-002884, CCI-001878, CCI-001879, CCI-001880, CCI-001881, CCI-001882, CCI-001889, CCI-001914, CCI-000169, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 6.2, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.7, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, CIP-004-6 R3.3, CIP-007-3 R6.5, AC-2(g), AU-3, AU-10, AU-2(d), AU-12(c), AU-14(1), AC-6(9), CM-6(a), SI-4(23), DE.AE-3, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.1, SRG-OS-000062-GPOS-00031, SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000051-GPOS-00024, SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000254-GPOS-00095, SRG-OS-000255-GPOS-00096, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000365-GPOS-00152, SRG-OS-000392-GPOS-00172, SRG-OS-000475-GPOS-00220, SRG-OS-000037-VMM-000150, SRG-OS-000063-VMM-000310, SRG-OS-000038-VMM-000160, SRG-OS-000039-VMM-000170, SRG-OS-000040-VMM-000180, SRG-OS-000041-VMM-000190, RHEL-08-030181, 4.1.1.2, SV-244542r818838_rule

Description
The auditd service is an essential userspace component of the Linux Auditing System, as it is responsible for writing audit records to disk. The auditd service can be enabled with the following command:
$ sudo systemctl enable auditd.service
Rationale
Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Ensuring the auditd service is active ensures audit records generated by the kernel are appropriately recorded.

Additionally, a properly configured audit subsystem ensures that actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.
OVAL test results details

package audit is installed  oval:ssg-test_service_auditd_package_audit_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
auditx86_64(none)0.17.20191104git1c2f876.el83.00:3.0-0.17.20191104git1c2f876.el8199e2f91fd431d51audit-0:3.0-0.17.20191104git1c2f876.el8.x86_64

Test that the auditd service is running  oval:ssg-test_service_running_auditd:tst:1  true

Following items have been found on the system:
UnitPropertyValue
auditd.serviceActiveStateactive

systemd test  oval:ssg-test_multi_user_wants_auditd:tst:1  true

Following items have been found on the system:
UnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
multi-user.targetbasic.targetvar.mount-.mountsysinit.targetdev-hugepages.mountsystemd-ask-password-console.pathsys-kernel-debug.mountrngd.serviceiscsi-onboot.servicesystemd-udevd.servicelvm2-lvmpolld.socketsystemd-modules-load.servicecryptsetup.targetselinux-autorelabel-mark.servicesystemd-update-done.servicedracut-shutdown.servicesystemd-journal-catalog-update.servicemultipathd.servicesystemd-hwdb-update.servicesystemd-sysctl.servicedev-mqueue.mountimport-state.servicesystemd-update-utmp.servicenis-domainname.serviceswap.targetlvm2-monitor.servicesystemd-journald.servicesystemd-tmpfiles-setup.servicesystemd-tmpfiles-setup-dev.serviceproc-sys-fs-binfmt_misc.automountloadmodules.servicesystemd-binfmt.servicekmod-static-nodes.servicesystemd-journal-flush.servicesystemd-machine-id-commit.servicesys-fs-fuse-connections.mountsys-kernel-config.mountldconfig.servicesystemd-udev-trigger.servicesystemd-firstboot.servicelocal-fs.targetboot.mountusr.mounthome.mounttmp.mountboot-efi.mountmnt.mountsystemd-remount-fs.servicesystemd-random-seed.servicesystemd-sysusers.servicetimers.targetunbound-anchor.timerdnf-makecache.timersystemd-tmpfiles-clean.timermlocate-updatedb.timersockets.targetsystemd-journald.socketdbus.socketiscsiuio.socketsssd-kcm.socketdm-event.socketsystemd-journald-dev-log.socketmultipathd.socketiscsid.socketsystemd-udevd-control.socketsystemd-udevd-kernel.socketsystemd-initctl.socketsystemd-coredump.socketpaths.targetslices.target-.slicesystem.slicesmartd.serviceNetworkManager.servicenftables.servicewaagent.servicelibstoragemgmt.servicevdo.servicetuned.servicerhsmcertd.servicedbus.servicesystemd-update-utmp-runlevel.servicechronyd.servicefirewalld.servicekdump.serviceremote-fs.targetiscsi.servicesshd.servicecrond.servicesystemd-ask-password-wall.pathgetty.targetgetty@tty1.serviceserial-getty@ttyS0.servicemdmonitor.servicesystemd-user-sessions.servicesystemd-logind.serviceauditd.servicesystemd-resolved.servicecloud-init.targetcloud-init-local.servicecloud-init.servicecloud-config.servicecloud-final.servicemcelog.servicesssd.servicersyslog.serviceatd.serviceirqbalance.service

systemd test  oval:ssg-test_multi_user_wants_auditd_socket:tst:1  false

Following items have been found on the system:
UnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
multi-user.targetbasic.targetvar.mount-.mountsysinit.targetdev-hugepages.mountsystemd-ask-password-console.pathsys-kernel-debug.mountrngd.serviceiscsi-onboot.servicesystemd-udevd.servicelvm2-lvmpolld.socketsystemd-modules-load.servicecryptsetup.targetselinux-autorelabel-mark.servicesystemd-update-done.servicedracut-shutdown.servicesystemd-journal-catalog-update.servicemultipathd.servicesystemd-hwdb-update.servicesystemd-sysctl.servicedev-mqueue.mountimport-state.servicesystemd-update-utmp.servicenis-domainname.serviceswap.targetlvm2-monitor.servicesystemd-journald.servicesystemd-tmpfiles-setup.servicesystemd-tmpfiles-setup-dev.serviceproc-sys-fs-binfmt_misc.automountloadmodules.servicesystemd-binfmt.servicekmod-static-nodes.servicesystemd-journal-flush.servicesystemd-machine-id-commit.servicesys-fs-fuse-connections.mountsys-kernel-config.mountldconfig.servicesystemd-udev-trigger.servicesystemd-firstboot.servicelocal-fs.targetboot.mountusr.mounthome.mounttmp.mountboot-efi.mountmnt.mountsystemd-remount-fs.servicesystemd-random-seed.servicesystemd-sysusers.servicetimers.targetunbound-anchor.timerdnf-makecache.timersystemd-tmpfiles-clean.timermlocate-updatedb.timersockets.targetsystemd-journald.socketdbus.socketiscsiuio.socketsssd-kcm.socketdm-event.socketsystemd-journald-dev-log.socketmultipathd.socketiscsid.socketsystemd-udevd-control.socketsystemd-udevd-kernel.socketsystemd-initctl.socketsystemd-coredump.socketpaths.targetslices.target-.slicesystem.slicesmartd.serviceNetworkManager.servicenftables.servicewaagent.servicelibstoragemgmt.servicevdo.servicetuned.servicerhsmcertd.servicedbus.servicesystemd-update-utmp-runlevel.servicechronyd.servicefirewalld.servicekdump.serviceremote-fs.targetiscsi.servicesshd.servicecrond.servicesystemd-ask-password-wall.pathgetty.targetgetty@tty1.serviceserial-getty@ttyS0.servicemdmonitor.servicesystemd-user-sessions.servicesystemd-logind.serviceauditd.servicesystemd-resolved.servicecloud-init.targetcloud-init-local.servicecloud-init.servicecloud-config.servicecloud-final.servicemcelog.servicesssd.servicersyslog.serviceatd.serviceirqbalance.service
Enable Auditing for Processes Which Start Prior to the Audit Daemonxccdf_org.ssgproject.content_rule_grub2_audit_argument mediumCCE-80825-3

Enable Auditing for Processes Which Start Prior to the Audit Daemon

Rule IDxccdf_org.ssgproject.content_rule_grub2_audit_argument
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-grub2_audit_argument:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80825-3

References:  1, 11, 12, 13, 14, 15, 16, 19, 3, 4, 5, 6, 7, 8, 5.4.1.1, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO12.06, APO13.01, BAI03.05, BAI08.02, DSS01.04, DSS02.02, DSS02.04, DSS02.07, DSS03.01, DSS05.02, DSS05.03, DSS05.04, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, 3.3.1, CCI-001464, CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-002884, 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(C), 164.310(a)(2)(iv), 164.310(d)(2)(iii), 164.312(b), 4.2.3.10, 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.3.6.6, 4.3.4.4.7, 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.13, SR 2.10, SR 2.11, SR 2.12, SR 2.6, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.1, SR 7.1, SR 7.6, A.11.2.6, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.2.1, A.14.1.3, A.15.2.1, A.15.2.2, A.16.1.4, A.16.1.5, A.16.1.7, A.6.2.1, A.6.2.2, AC-17(1), AU-14(1), AU-10, CM-6(a), IR-5(1), DE.AE-3, DE.AE-5, ID.SC-4, PR.AC-3, PR.PT-1, PR.PT-4, RS.AN-1, RS.AN-4, FAU_GEN.1, Req-10.3, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000473-GPOS-00218, SRG-OS-000254-GPOS-00095, SRG-OS-000254-VMM-000880, RHEL-08-030601, 4.1.1.3, SV-230468r792904_rule

Description
To ensure all processes can be audited, even those which start prior to the audit daemon, add the argument audit=1 to the default GRUB 2 command line for the Linux operating system. To ensure that audit=1 is added as a kernel command line argument to newly installed kernels, add audit=1 to the default Grub2 command line for Linux operating systems. Modify the line within /etc/default/grub as shown below:
GRUB_CMDLINE_LINUX="... audit=1 ..."
Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit=1"
Rationale
Each process on the system carries an "auditable" flag which indicates whether its activities can be audited. Although auditd takes care of enabling this for all processes which launch after it does, adding the kernel argument ensures it is set for every process during boot.
OVAL test results details

check for kernel command line parameters audit=1 in /boot/grub2/grubenv for all kernels  oval:ssg-test_grub2_audit_argument_grub_env:tst:1  true

Following items have been found on the system:
PathContent
/boot/grub2/grubenvkernelopts=root=/dev/mapper/rootvg-rootlv ro loglevel=3 crashkernel=auto console=tty1 console=ttyS0 earlyprintk=ttyS0 rootdelay=300 audit=1 audit_backlog_limit=8192

check for kernel command line parameters audit=1 in /boot/efi/EFI/redhat/grubenv for all kernels  oval:ssg-test_grub2_audit_argument_grub_env_uefi:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_grub2_audit_argument_grub_env_uefi:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/boot/efi/EFI/redhat/grubenv^kernelopts=(.*)$1

check kernel command line parameters for referenced boot entries reference the $kernelopts variable.  oval:ssg-test_grub2_entries_reference_kernelopts:tst:1  true

Following items have been found on the system:
PathContent
/boot/loader/entries/a869311b25bb46a1be50f74b6ac7f4b9-4.18.0-305.40.1.el8_4.x86_64.confoptions $kernelopts $tuned_params
/boot/loader/entries/a869311b25bb46a1be50f74b6ac7f4b9-4.18.0-305.el8.x86_64.confoptions $kernelopts $tuned_params

check for audit=1 in /etc/default/grub via GRUB_CMDLINE_LINUX  oval:ssg-test_grub2_audit_argument:tst:1  true

Following items have been found on the system:
PathContent
/etc/default/grubGRUB_CMDLINE_LINUX="loglevel=3 crashkernel=auto console=tty1 console=ttyS0 earlyprintk=ttyS0 rootdelay=300 audit=1 audit_backlog_limit=8192"

check for audit=1 in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT  oval:ssg-test_grub2_audit_argument_default:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_grub2_audit_argument_default:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/default/grub^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$1

Check for GRUB_DISABLE_RECOVERY=true in /etc/default/grub  oval:ssg-test_bootloader_disable_recovery_set_to_true:tst:1  true

Following items have been found on the system:
PathContent
/etc/default/grubGRUB_DISABLE_RECOVERY="true"
Extend Audit Backlog Limit for the Audit Daemonxccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument lowCCE-80943-4

Extend Audit Backlog Limit for the Audit Daemon

Rule IDxccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-grub2_audit_backlog_limit_argument:def:1
Time2022-11-07T15:05:18+00:00
Severitylow
Identifiers and References

Identifiers:  CCE-80943-4

References:  CCI-000130, CCI-000135, CCI-000169, CCI-000172, CCI-001849, CCI-002884, CM-6(a), FAU_STG.1, FAU_STG.3, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000254-GPOS-00095, SRG-OS-000341-GPOS-00132, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, RHEL-08-030602, 4.1.1.4, SV-230469r792906_rule

Description
To improve the kernel capacity to queue all log events, even those which occurred prior to the audit daemon, add the argument audit_backlog_limit=8192 to the default GRUB 2 command line for the Linux operating system. To ensure that audit_backlog_limit=8192 is added as a kernel command line argument to newly installed kernels, add audit_backlog_limit=8192 to the default Grub2 command line for Linux operating systems. Modify the line within /etc/default/grub as shown below:
GRUB_CMDLINE_LINUX="... audit_backlog_limit=8192 ..."
Run the following command to update command line for already installed kernels:
# grubby --update-kernel=ALL --args="audit_backlog_limit=8192"
Rationale
audit_backlog_limit sets the queue length for audit events awaiting transfer to the audit daemon. Until the audit daemon is up and running, all log messages are stored in this queue. If the queue is overrun during boot process, the action defined by audit failure flag is taken.
OVAL test results details

check for kernel command line parameters audit_backlog_limit=8192 in /boot/grub2/grubenv for all kernels  oval:ssg-test_grub2_audit_backlog_limit_argument_grub_env:tst:1  true

Following items have been found on the system:
PathContent
/boot/grub2/grubenvkernelopts=root=/dev/mapper/rootvg-rootlv ro loglevel=3 crashkernel=auto console=tty1 console=ttyS0 earlyprintk=ttyS0 rootdelay=300 audit=1 audit_backlog_limit=8192

check for kernel command line parameters audit_backlog_limit=8192 in /boot/efi/EFI/redhat/grubenv for all kernels  oval:ssg-test_grub2_audit_backlog_limit_argument_grub_env_uefi:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_grub2_audit_backlog_limit_argument_grub_env_uefi:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/boot/efi/EFI/redhat/grubenv^kernelopts=(.*)$1

check kernel command line parameters for referenced boot entries reference the $kernelopts variable.  oval:ssg-test_grub2_entries_reference_kernelopts:tst:1  true

Following items have been found on the system:
PathContent
/boot/loader/entries/a869311b25bb46a1be50f74b6ac7f4b9-4.18.0-305.40.1.el8_4.x86_64.confoptions $kernelopts $tuned_params
/boot/loader/entries/a869311b25bb46a1be50f74b6ac7f4b9-4.18.0-305.el8.x86_64.confoptions $kernelopts $tuned_params

check for audit_backlog_limit=8192 in /etc/default/grub via GRUB_CMDLINE_LINUX  oval:ssg-test_grub2_audit_backlog_limit_argument:tst:1  true

Following items have been found on the system:
PathContent
/etc/default/grubGRUB_CMDLINE_LINUX="loglevel=3 crashkernel=auto console=tty1 console=ttyS0 earlyprintk=ttyS0 rootdelay=300 audit=1 audit_backlog_limit=8192"

check for audit_backlog_limit=8192 in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT  oval:ssg-test_grub2_audit_backlog_limit_argument_default:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_grub2_audit_backlog_limit_argument_default:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/default/grub^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$1

Check for GRUB_DISABLE_RECOVERY=true in /etc/default/grub  oval:ssg-test_bootloader_disable_recovery_set_to_true:tst:1  true

Following items have been found on the system:
PathContent
/etc/default/grubGRUB_DISABLE_RECOVERY="true"
Verify /boot/grub2/grub.cfg Group Ownershipxccdf_org.ssgproject.content_rule_file_groupowner_grub2_cfg mediumCCE-80800-6

Verify /boot/grub2/grub.cfg Group Ownership

Rule IDxccdf_org.ssgproject.content_rule_file_groupowner_grub2_cfg
Result
notapplicable
Multi-check ruleno
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80800-6

References:  12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.4.5, CCI-000225, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-7.1, SRG-OS-000480-GPOS-00227, 1.4.2

Description
The file /boot/grub2/grub.cfg should be group-owned by the root group to prevent destruction or modification of the file. To properly set the group owner of /boot/grub2/grub.cfg, run the command:
$ sudo chgrp root /boot/grub2/grub.cfg
Rationale
The root group is a highly-privileged group. Furthermore, the group-owner of this file should not have any access privileges anyway.
Verify /boot/grub2/grub.cfg User Ownershipxccdf_org.ssgproject.content_rule_file_owner_grub2_cfg mediumCCE-80805-5

Verify /boot/grub2/grub.cfg User Ownership

Rule IDxccdf_org.ssgproject.content_rule_file_owner_grub2_cfg
Result
notapplicable
Multi-check ruleno
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80805-5

References:  12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.4.5, CCI-000225, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-7.1, 1.4.2

Description
The file /boot/grub2/grub.cfg should be owned by the root user to prevent destruction or modification of the file. To properly set the owner of /boot/grub2/grub.cfg, run the command:
$ sudo chown root /boot/grub2/grub.cfg 
Rationale
Only root should be able to modify important boot parameters.
Verify /boot/grub2/grub.cfg Permissionsxccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg mediumCCE-80814-7

Verify /boot/grub2/grub.cfg Permissions

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg
Result
notapplicable
Multi-check ruleno
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80814-7

References:  12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.4.5, CCI-000225, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, 1.4.2

Description
File permissions for /boot/grub2/grub.cfg should be set to 600. To properly set the permissions of /boot/grub2/grub.cfg, run the command:
$ sudo chmod 600 /boot/grub2/grub.cfg
Rationale
Proper permissions ensure that only the root user can modify important boot parameters.
Set Boot Loader Password in grub2xccdf_org.ssgproject.content_rule_grub2_password highCCE-80828-7

Set Boot Loader Password in grub2

Rule IDxccdf_org.ssgproject.content_rule_grub2_password
Result
notapplicable
Multi-check ruleno
Time2022-11-07T15:05:18+00:00
Severityhigh
Identifiers and References

Identifiers:  CCE-80828-7

References:  BP28(R17), 1, 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.06, DSS06.10, 3.4.5, CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, A.18.1.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CM-6(a), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.PT-3, FIA_UAU.1, SRG-OS-000080-GPOS-00048, RHEL-08-010150, 1.4.1, SV-230235r743925_rule

Description
The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings.

Since plaintext passwords are a security risk, generate a hash for the password by running the following command:
# grub2-setpassword
When prompted, enter the password that was selected.

Rationale
Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode.
Warnings
warning  To prevent hard-coded passwords, automatic remediation of this control is not available. Remediation must be automated as a component of machine provisioning, or followed manually as outlined above. Also, do NOT manually add the superuser account and password to the grub.cfg file as the grub2-mkconfig command overwrites this file.
Verify the UEFI Boot Loader grub.cfg Group Ownershipxccdf_org.ssgproject.content_rule_file_groupowner_efi_grub2_cfg mediumCCE-85915-7

Verify the UEFI Boot Loader grub.cfg Group Ownership

Rule IDxccdf_org.ssgproject.content_rule_file_groupowner_efi_grub2_cfg
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_groupowner_efi_grub2_cfg:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85915-7

References:  12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.4.5, CCI-000225, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-7.1, 1.4.2

Description
The file /boot/efi/EFI/redhat/grub.cfg should be group-owned by the root group to prevent destruction or modification of the file. To properly set the group owner of /boot/efi/EFI/redhat/grub.cfg, run the command:
$ sudo chgrp root /boot/efi/EFI/redhat/grub.cfg
Rationale
The root group is a highly-privileged group. Furthermore, the group-owner of this file should not have any access privileges anyway.
OVAL test results details

Testing group ownership of /boot/efi/EFI/redhat/grub.cfg  oval:ssg-test_file_groupowner_efi_grub2_cfg_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_efi_grub2_cfg_0:obj:1 of type file_object
FilepathFilterFilter
/boot/efi/EFI/redhat/grub.cfgoval:ssg-symlink_file_groupowner_efi_grub2_cfg_uid_0:ste:1oval:ssg-state_file_groupowner_efi_grub2_cfg_gid_0_0:ste:1
Verify the UEFI Boot Loader grub.cfg User Ownershipxccdf_org.ssgproject.content_rule_file_owner_efi_grub2_cfg mediumCCE-85913-2

Verify the UEFI Boot Loader grub.cfg User Ownership

Rule IDxccdf_org.ssgproject.content_rule_file_owner_efi_grub2_cfg
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_owner_efi_grub2_cfg:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85913-2

References:  12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.4.5, CCI-000225, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-7.1, 1.4.2

Description
The file /boot/efi/EFI/redhat/grub.cfg should be owned by the root user to prevent destruction or modification of the file. To properly set the owner of /boot/efi/EFI/redhat/grub.cfg, run the command:
$ sudo chown root /boot/efi/EFI/redhat/grub.cfg 
Rationale
Only root should be able to modify important boot parameters.
OVAL test results details

Testing user ownership of /boot/efi/EFI/redhat/grub.cfg  oval:ssg-test_file_owner_efi_grub2_cfg_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_efi_grub2_cfg_0:obj:1 of type file_object
FilepathFilterFilter
/boot/efi/EFI/redhat/grub.cfgoval:ssg-symlink_file_owner_efi_grub2_cfg_uid_0:ste:1oval:ssg-state_file_owner_efi_grub2_cfg_uid_0_0:ste:1
Verify the UEFI Boot Loader grub.cfg Permissionsxccdf_org.ssgproject.content_rule_file_permissions_efi_grub2_cfg mediumCCE-85912-4

Verify the UEFI Boot Loader grub.cfg Permissions

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_efi_grub2_cfg
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_permissions_efi_grub2_cfg:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85912-4

References:  12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.4.5, CCI-000225, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, 1.4.2

Description
File permissions for /boot/efi/EFI/redhat/grub.cfg should be set to 700. To properly set the permissions of /boot/efi/EFI/redhat/grub.cfg, run the command:
$ sudo chmod 700 /boot/efi/EFI/redhat/grub.cfg
Rationale
Proper permissions ensure that only the root user can modify important boot parameters.
OVAL test results details

Testing mode of /boot/efi/EFI/redhat/grub.cfg  oval:ssg-test_file_permissions_efi_grub2_cfg_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_efi_grub2_cfg_0:obj:1 of type file_object
FilepathFilterFilter
/boot/efi/EFI/redhat/grub.cfgoval:ssg-exclude_symlinks__efi_grub2_cfg:ste:1oval:ssg-state_file_permissions_efi_grub2_cfg_0_mode_0700or_stricter_:ste:1
Set the UEFI Boot Loader Passwordxccdf_org.ssgproject.content_rule_grub2_uefi_password highCCE-80829-5

Set the UEFI Boot Loader Password

Rule IDxccdf_org.ssgproject.content_rule_grub2_uefi_password
Result
fail
Multi-check ruleno
OVAL Definition IDoval:ssg-grub2_uefi_password:def:1
Time2022-11-07T15:05:18+00:00
Severityhigh
Identifiers and References

Identifiers:  CCE-80829-5

References:  BP28(R17), 11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.03, DSS06.06, 3.4.5, CCI-000213, 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), PR.AC-4, PR.AC-6, PR.PT-3, FIA_UAU.1, SRG-OS-000080-GPOS-00048, RHEL-08-010140, 1.4.1, SV-230234r743922_rule

Description
The grub2 boot loader should have a superuser account and password protection enabled to protect boot-time settings.

Since plaintext passwords are a security risk, generate a hash for the password by running the following command:
# grub2-setpassword
When prompted, enter the password that was selected.

Rationale
Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode.
Warnings
warning  To prevent hard-coded passwords, automatic remediation of this control is not available. Remediation must be automated as a component of machine provisioning, or followed manually as outlined above. Also, do NOT manually add the superuser account and password to the grub.cfg file as the grub2-mkconfig command overwrites this file.
OVAL test results details

make sure a password is defined in /boot/efi/EFI/redhat/user.cfg  oval:ssg-test_grub2_uefi_password_usercfg:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_grub2_uefi_password_usercfg:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/boot/efi/EFI/redhat/user.cfg^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$1
Ensure System Log Files Have Correct Permissionsxccdf_org.ssgproject.content_rule_rsyslog_files_permissions mediumCCE-80862-6

Ensure System Log Files Have Correct Permissions

Rule IDxccdf_org.ssgproject.content_rule_rsyslog_files_permissions
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-rsyslog_files_permissions:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80862-6

References:  BP28(R36), CCI-001314, 0988, 1405, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), Req-10.5.1, Req-10.5.2, 4.2.3

Description
The file permissions for all log files written by rsyslog should be set to 600, or more restrictive. These log files are determined by the second part of each Rule line in /etc/rsyslog.conf and typically all appear in /var/log. For each log file LOGFILE referenced in /etc/rsyslog.conf, run the following command to inspect the file's permissions:
$ ls -l LOGFILE
If the permissions are not 600 or more restrictive, run the following command to correct this:
$ sudo chmod 0600 LOGFILE
"
Rationale
Log files can contain valuable information regarding system configuration. If the system log files are not protected unauthorized users could change the logged data, eliminating their forensic value.
OVAL test results details

Permissions of system log files are correct  oval:ssg-test_rsyslog_files_permissions:tst:1  true

Following items have been found on the system:
PathTypeUIDGIDSize (B)Permissions
/var/log/cronregular003274rw------- 
/var/log/spoolerregular000rw------- 
/var/log/messagesregular002004487rw------- 
/var/log/secureregular002993453rw------- 
/var/log/maillogregular000rw------- 
/var/log/cloud-init.logregular00156084rw------- 
Enable systemd-journald Servicexccdf_org.ssgproject.content_rule_service_systemd-journald_enabled mediumCCE-85921-5

Enable systemd-journald Service

Rule IDxccdf_org.ssgproject.content_rule_service_systemd-journald_enabled
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-service_systemd-journald_enabled:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85921-5

References:  CCI-001665, SC-24, SRG-OS-000269-GPOS-00103, 4.2.2.2

Description
The systemd-journald service is an essential component of systemd. The systemd-journald service can be enabled with the following command:
$ sudo systemctl enable systemd-journald.service
Rationale
In the event of a system failure, Red Hat Enterprise Linux 8 must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to system processes.
OVAL test results details

package systemd is installed  oval:ssg-test_service_systemd-journald_package_systemd_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
systemdx86_64(none)45.el8_4.82390:239-45.el8_4.8199e2f91fd431d51systemd-0:239-45.el8_4.8.x86_64

Test that the systemd-journald service is running  oval:ssg-test_service_running_systemd-journald:tst:1  true

Following items have been found on the system:
UnitPropertyValue
systemd-journald.serviceActiveStateactive
systemd-journald.socketActiveStateactive

systemd test  oval:ssg-test_multi_user_wants_systemd-journald:tst:1  true

Following items have been found on the system:
UnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
multi-user.targetbasic.targetvar.mount-.mountsysinit.targetdev-hugepages.mountsystemd-ask-password-console.pathsys-kernel-debug.mountrngd.serviceiscsi-onboot.servicesystemd-udevd.servicelvm2-lvmpolld.socketsystemd-modules-load.servicecryptsetup.targetselinux-autorelabel-mark.servicesystemd-update-done.servicedracut-shutdown.servicesystemd-journal-catalog-update.servicemultipathd.servicesystemd-hwdb-update.servicesystemd-sysctl.servicedev-mqueue.mountimport-state.servicesystemd-update-utmp.servicenis-domainname.serviceswap.targetlvm2-monitor.servicesystemd-journald.servicesystemd-tmpfiles-setup.servicesystemd-tmpfiles-setup-dev.serviceproc-sys-fs-binfmt_misc.automountloadmodules.servicesystemd-binfmt.servicekmod-static-nodes.servicesystemd-journal-flush.servicesystemd-machine-id-commit.servicesys-fs-fuse-connections.mountsys-kernel-config.mountldconfig.servicesystemd-udev-trigger.servicesystemd-firstboot.servicelocal-fs.targetboot.mountusr.mounthome.mounttmp.mountboot-efi.mountmnt.mountsystemd-remount-fs.servicesystemd-random-seed.servicesystemd-sysusers.servicetimers.targetunbound-anchor.timerdnf-makecache.timersystemd-tmpfiles-clean.timermlocate-updatedb.timersockets.targetsystemd-journald.socketdbus.socketiscsiuio.socketsssd-kcm.socketdm-event.socketsystemd-journald-dev-log.socketmultipathd.socketiscsid.socketsystemd-udevd-control.socketsystemd-udevd-kernel.socketsystemd-initctl.socketsystemd-coredump.socketpaths.targetslices.target-.slicesystem.slicesmartd.serviceNetworkManager.servicenftables.servicewaagent.servicelibstoragemgmt.servicevdo.servicetuned.servicerhsmcertd.servicedbus.servicesystemd-update-utmp-runlevel.servicechronyd.servicefirewalld.servicekdump.serviceremote-fs.targetiscsi.servicesshd.servicecrond.servicesystemd-ask-password-wall.pathgetty.targetgetty@tty1.serviceserial-getty@ttyS0.servicemdmonitor.servicesystemd-user-sessions.servicesystemd-logind.serviceauditd.servicesystemd-resolved.servicecloud-init.targetcloud-init-local.servicecloud-init.servicecloud-config.servicecloud-final.servicemcelog.servicesssd.servicersyslog.serviceatd.serviceirqbalance.service

systemd test  oval:ssg-test_multi_user_wants_systemd-journald_socket:tst:1  true

Following items have been found on the system:
UnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
multi-user.targetbasic.targetvar.mount-.mountsysinit.targetdev-hugepages.mountsystemd-ask-password-console.pathsys-kernel-debug.mountrngd.serviceiscsi-onboot.servicesystemd-udevd.servicelvm2-lvmpolld.socketsystemd-modules-load.servicecryptsetup.targetselinux-autorelabel-mark.servicesystemd-update-done.servicedracut-shutdown.servicesystemd-journal-catalog-update.servicemultipathd.servicesystemd-hwdb-update.servicesystemd-sysctl.servicedev-mqueue.mountimport-state.servicesystemd-update-utmp.servicenis-domainname.serviceswap.targetlvm2-monitor.servicesystemd-journald.servicesystemd-tmpfiles-setup.servicesystemd-tmpfiles-setup-dev.serviceproc-sys-fs-binfmt_misc.automountloadmodules.servicesystemd-binfmt.servicekmod-static-nodes.servicesystemd-journal-flush.servicesystemd-machine-id-commit.servicesys-fs-fuse-connections.mountsys-kernel-config.mountldconfig.servicesystemd-udev-trigger.servicesystemd-firstboot.servicelocal-fs.targetboot.mountusr.mounthome.mounttmp.mountboot-efi.mountmnt.mountsystemd-remount-fs.servicesystemd-random-seed.servicesystemd-sysusers.servicetimers.targetunbound-anchor.timerdnf-makecache.timersystemd-tmpfiles-clean.timermlocate-updatedb.timersockets.targetsystemd-journald.socketdbus.socketiscsiuio.socketsssd-kcm.socketdm-event.socketsystemd-journald-dev-log.socketmultipathd.socketiscsid.socketsystemd-udevd-control.socketsystemd-udevd-kernel.socketsystemd-initctl.socketsystemd-coredump.socketpaths.targetslices.target-.slicesystem.slicesmartd.serviceNetworkManager.servicenftables.servicewaagent.servicelibstoragemgmt.servicevdo.servicetuned.servicerhsmcertd.servicedbus.servicesystemd-update-utmp-runlevel.servicechronyd.servicefirewalld.servicekdump.serviceremote-fs.targetiscsi.servicesshd.servicecrond.servicesystemd-ask-password-wall.pathgetty.targetgetty@tty1.serviceserial-getty@ttyS0.servicemdmonitor.servicesystemd-user-sessions.servicesystemd-logind.serviceauditd.servicesystemd-resolved.servicecloud-init.targetcloud-init-local.servicecloud-init.servicecloud-config.servicecloud-final.servicemcelog.servicesssd.servicersyslog.serviceatd.serviceirqbalance.service
Ensure journald is configured to compress large log filesxccdf_org.ssgproject.content_rule_journald_compress mediumCCE-85930-6

Ensure journald is configured to compress large log files

Rule IDxccdf_org.ssgproject.content_rule_journald_compress
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-journald_compress:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85930-6

References:  4.2.2.3

Description
The journald system can compress large log files to avoid fill the system disk.
Rationale
Log files that are not properly compressed run the risk of growing so large that they fill up the log partition. Valuable logging information could be lost if the log partition becomes full.
OVAL test results details

tests the value of Compress setting in the /etc/systemd/journald.conf file  oval:ssg-test_journald_compress:tst:1  true

Following items have been found on the system:
PathContent
/etc/systemd/journald.confCompress="yes"
Ensure journald is configured to send logs to rsyslogxccdf_org.ssgproject.content_rule_journald_forward_to_syslog mediumCCE-85995-9

Ensure journald is configured to send logs to rsyslog

Rule IDxccdf_org.ssgproject.content_rule_journald_forward_to_syslog
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-journald_forward_to_syslog:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85995-9

References:  4.2.1.3

Description
Data from journald may be stored in volatile memory or persisted locally. Utilities exist to accept remote export of journald logs.
Rationale
Storing log data on a remote host protects log integrity from local attacks. If an attacker gains root access on the local system, they could tamper with or remove log data that is stored on the local system.
OVAL test results details

tests the value of ForwardToSyslog setting in the /etc/systemd/journald.conf file  oval:ssg-test_journald_forward_to_syslog:tst:1  true

Following items have been found on the system:
PathContent
/etc/systemd/journald.confForwardToSyslog="yes"
Ensure journald is configured to write log files to persistent diskxccdf_org.ssgproject.content_rule_journald_storage mediumCCE-86045-2

Ensure journald is configured to write log files to persistent disk

Rule IDxccdf_org.ssgproject.content_rule_journald_storage
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-journald_storage:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-86045-2

References:  4.2.2.4

Description
The journald system may store log files in volatile memory or locally on disk. If the logs are only stored in volatile memory they will we lost upon reboot.
Rationale
Log files contain valuable data and need to be persistent to aid in possible investigations.
OVAL test results details

tests the value of Storage setting in the /etc/systemd/journald.conf file  oval:ssg-test_journald_storage:tst:1  true

Following items have been found on the system:
PathContent
/etc/systemd/journald.confStorage="persistent"
Ensure rsyslog is Installedxccdf_org.ssgproject.content_rule_package_rsyslog_installed mediumCCE-80847-7

Ensure rsyslog is Installed

Rule IDxccdf_org.ssgproject.content_rule_package_rsyslog_installed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_rsyslog_installed:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80847-7

References:  BP28(R5), NT28(R46), 1, 14, 15, 16, 3, 5, 6, APO11.04, BAI03.05, DSS05.04, DSS05.07, MEA02.01, CCI-001311, CCI-001312, CCI-000366, 164.312(a)(2)(ii), 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, CM-6(a), PR.PT-1, FTP_ITC_EXT.1.1, SRG-OS-000479-GPOS-00224, SRG-OS-000051-GPOS-00024, SRG-OS-000480-GPOS-00227, RHEL-08-030670, 4.2.1.1, SV-230477r627750_rule

Description
Rsyslog is installed by default. The rsyslog package can be installed with the following command:
 $ sudo yum install rsyslog
Rationale
The rsyslog package provides the rsyslog daemon, which provides system logging services.
OVAL test results details

package rsyslog is installed  oval:ssg-test_package_rsyslog_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
rsyslogx86_64(none)7.el8_4.28.1911.00:8.1911.0-7.el8_4.2199e2f91fd431d51rsyslog-0:8.1911.0-7.el8_4.2.x86_64
Enable rsyslog Servicexccdf_org.ssgproject.content_rule_service_rsyslog_enabled mediumCCE-80886-5

Enable rsyslog Service

Rule IDxccdf_org.ssgproject.content_rule_service_rsyslog_enabled
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-service_rsyslog_enabled:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80886-5

References:  BP28(R5), NT28(R46), 1, 12, 13, 14, 15, 16, 2, 3, 5, 6, 7, 8, 9, APO10.01, APO10.03, APO10.04, APO10.05, APO11.04, APO13.01, BAI03.05, BAI04.04, DSS01.03, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, MEA01.01, MEA01.02, MEA01.03, MEA01.04, MEA01.05, MEA02.01, CCI-001311, CCI-001312, CCI-001557, CCI-001851, CCI-000366, 164.312(a)(2)(ii), 4.3.2.6.7, 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 2.10, SR 2.11, SR 2.12, SR 2.8, SR 2.9, SR 6.1, SR 6.2, SR 7.1, SR 7.2, A.12.1.3, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.14.2.7, A.15.2.1, A.15.2.2, A.17.2.1, CM-6(a), AU-4(1), DE.CM-1, DE.CM-3, DE.CM-7, ID.SC-4, PR.DS-4, PR.PT-1, SRG-OS-000480-GPOS-00227, RHEL-08-010561, 4.2.1.2, SV-230298r627750_rule

Description
The rsyslog service provides syslog-style logging by default on Red Hat Enterprise Linux 8. The rsyslog service can be enabled with the following command:
$ sudo systemctl enable rsyslog.service
Rationale
The rsyslog service must be running in order to provide logging services, which are essential to system administration.
OVAL test results details

package rsyslog is installed  oval:ssg-test_service_rsyslog_package_rsyslog_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
rsyslogx86_64(none)7.el8_4.28.1911.00:8.1911.0-7.el8_4.2199e2f91fd431d51rsyslog-0:8.1911.0-7.el8_4.2.x86_64

Test that the rsyslog service is running  oval:ssg-test_service_running_rsyslog:tst:1  true

Following items have been found on the system:
UnitPropertyValue
rsyslog.serviceActiveStateactive

systemd test  oval:ssg-test_multi_user_wants_rsyslog:tst:1  true

Following items have been found on the system:
UnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
multi-user.targetbasic.targetvar.mount-.mountsysinit.targetdev-hugepages.mountsystemd-ask-password-console.pathsys-kernel-debug.mountrngd.serviceiscsi-onboot.servicesystemd-udevd.servicelvm2-lvmpolld.socketsystemd-modules-load.servicecryptsetup.targetselinux-autorelabel-mark.servicesystemd-update-done.servicedracut-shutdown.servicesystemd-journal-catalog-update.servicemultipathd.servicesystemd-hwdb-update.servicesystemd-sysctl.servicedev-mqueue.mountimport-state.servicesystemd-update-utmp.servicenis-domainname.serviceswap.targetlvm2-monitor.servicesystemd-journald.servicesystemd-tmpfiles-setup.servicesystemd-tmpfiles-setup-dev.serviceproc-sys-fs-binfmt_misc.automountloadmodules.servicesystemd-binfmt.servicekmod-static-nodes.servicesystemd-journal-flush.servicesystemd-machine-id-commit.servicesys-fs-fuse-connections.mountsys-kernel-config.mountldconfig.servicesystemd-udev-trigger.servicesystemd-firstboot.servicelocal-fs.targetboot.mountusr.mounthome.mounttmp.mountboot-efi.mountmnt.mountsystemd-remount-fs.servicesystemd-random-seed.servicesystemd-sysusers.servicetimers.targetunbound-anchor.timerdnf-makecache.timersystemd-tmpfiles-clean.timermlocate-updatedb.timersockets.targetsystemd-journald.socketdbus.socketiscsiuio.socketsssd-kcm.socketdm-event.socketsystemd-journald-dev-log.socketmultipathd.socketiscsid.socketsystemd-udevd-control.socketsystemd-udevd-kernel.socketsystemd-initctl.socketsystemd-coredump.socketpaths.targetslices.target-.slicesystem.slicesmartd.serviceNetworkManager.servicenftables.servicewaagent.servicelibstoragemgmt.servicevdo.servicetuned.servicerhsmcertd.servicedbus.servicesystemd-update-utmp-runlevel.servicechronyd.servicefirewalld.servicekdump.serviceremote-fs.targetiscsi.servicesshd.servicecrond.servicesystemd-ask-password-wall.pathgetty.targetgetty@tty1.serviceserial-getty@ttyS0.servicemdmonitor.servicesystemd-user-sessions.servicesystemd-logind.serviceauditd.servicesystemd-resolved.servicecloud-init.targetcloud-init-local.servicecloud-init.servicecloud-config.servicecloud-final.servicemcelog.servicesssd.servicersyslog.serviceatd.serviceirqbalance.service

systemd test  oval:ssg-test_multi_user_wants_rsyslog_socket:tst:1  false

Following items have been found on the system:
UnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
multi-user.targetbasic.targetvar.mount-.mountsysinit.targetdev-hugepages.mountsystemd-ask-password-console.pathsys-kernel-debug.mountrngd.serviceiscsi-onboot.servicesystemd-udevd.servicelvm2-lvmpolld.socketsystemd-modules-load.servicecryptsetup.targetselinux-autorelabel-mark.servicesystemd-update-done.servicedracut-shutdown.servicesystemd-journal-catalog-update.servicemultipathd.servicesystemd-hwdb-update.servicesystemd-sysctl.servicedev-mqueue.mountimport-state.servicesystemd-update-utmp.servicenis-domainname.serviceswap.targetlvm2-monitor.servicesystemd-journald.servicesystemd-tmpfiles-setup.servicesystemd-tmpfiles-setup-dev.serviceproc-sys-fs-binfmt_misc.automountloadmodules.servicesystemd-binfmt.servicekmod-static-nodes.servicesystemd-journal-flush.servicesystemd-machine-id-commit.servicesys-fs-fuse-connections.mountsys-kernel-config.mountldconfig.servicesystemd-udev-trigger.servicesystemd-firstboot.servicelocal-fs.targetboot.mountusr.mounthome.mounttmp.mountboot-efi.mountmnt.mountsystemd-remount-fs.servicesystemd-random-seed.servicesystemd-sysusers.servicetimers.targetunbound-anchor.timerdnf-makecache.timersystemd-tmpfiles-clean.timermlocate-updatedb.timersockets.targetsystemd-journald.socketdbus.socketiscsiuio.socketsssd-kcm.socketdm-event.socketsystemd-journald-dev-log.socketmultipathd.socketiscsid.socketsystemd-udevd-control.socketsystemd-udevd-kernel.socketsystemd-initctl.socketsystemd-coredump.socketpaths.targetslices.target-.slicesystem.slicesmartd.serviceNetworkManager.servicenftables.servicewaagent.servicelibstoragemgmt.servicevdo.servicetuned.servicerhsmcertd.servicedbus.servicesystemd-update-utmp-runlevel.servicechronyd.servicefirewalld.servicekdump.serviceremote-fs.targetiscsi.servicesshd.servicecrond.servicesystemd-ask-password-wall.pathgetty.targetgetty@tty1.serviceserial-getty@ttyS0.servicemdmonitor.servicesystemd-user-sessions.servicesystemd-logind.serviceauditd.servicesystemd-resolved.servicecloud-init.targetcloud-init-local.servicecloud-init.servicecloud-config.servicecloud-final.servicemcelog.servicesssd.servicersyslog.serviceatd.serviceirqbalance.service
Install firewalld Packagexccdf_org.ssgproject.content_rule_package_firewalld_installed mediumCCE-82998-6

Install firewalld Package

Rule IDxccdf_org.ssgproject.content_rule_package_firewalld_installed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_firewalld_installed:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82998-6

References:  CCI-002314, CM-6(a), FMT_SMF_EXT.1, SRG-OS-000096-GPOS-00050, SRG-OS-000297-GPOS-00115, SRG-OS-000298-GPOS-00116, SRG-OS-000480-GPOS-00227, SRG-OS-000480-GPOS-00232, RHEL-08-040100, 3.4.1.1, SV-230505r744020_rule

Description
The firewalld package can be installed with the following command:
$ sudo yum install firewalld
Rationale
"Firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols. Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best. Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless. Red Hat Enterprise Linux 8 functionality (e.g., SSH) must be capable of taking enforcement action if the audit reveals unauthorized activity. Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets)."
OVAL test results details

package firewalld is installed  oval:ssg-test_package_firewalld_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
firewalldnoarch(none)7.el8_40.8.20:0.8.2-7.el8_4199e2f91fd431d51firewalld-0:0.8.2-7.el8_4.noarch
Verify firewalld Enabledxccdf_org.ssgproject.content_rule_service_firewalld_enabled mediumCCE-80877-4

Verify firewalld Enabled

Rule IDxccdf_org.ssgproject.content_rule_service_firewalld_enabled
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-service_firewalld_enabled:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80877-4

References:  11, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.1.3, 3.4.7, CCI-000366, CCI-000382, CCI-002314, 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, CIP-003-8 R4, CIP-003-8 R5, CIP-004-6 R3, AC-4, CM-7(b), CA-3(5), SC-7(21), CM-6(a), PR.IP-1, FMT_SMF_EXT.1, SRG-OS-000096-GPOS-00050, SRG-OS-000297-GPOS-00115, SRG-OS-000480-GPOS-00227, SRG-OS-000480-GPOS-00231, SRG-OS-000480-GPOS-00232, RHEL-08-040101, 3.4.1.4, SV-244544r743881_rule

Description
The firewalld service can be enabled with the following command:
$ sudo systemctl enable firewalld.service
Rationale
Access control methods provide the ability to enhance system security posture by restricting services and known good IP addresses and address ranges. This prevents connections from unknown hosts and protocols.
OVAL test results details

package firewalld is installed  oval:ssg-test_service_firewalld_package_firewalld_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
firewalldnoarch(none)7.el8_40.8.20:0.8.2-7.el8_4199e2f91fd431d51firewalld-0:0.8.2-7.el8_4.noarch

Test that the firewalld service is running  oval:ssg-test_service_running_firewalld:tst:1  true

Following items have been found on the system:
UnitPropertyValue
firewalld.serviceActiveStateactive

systemd test  oval:ssg-test_multi_user_wants_firewalld:tst:1  true

Following items have been found on the system:
UnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
multi-user.targetbasic.targetvar.mount-.mountsysinit.targetdev-hugepages.mountsystemd-ask-password-console.pathsys-kernel-debug.mountrngd.serviceiscsi-onboot.servicesystemd-udevd.servicelvm2-lvmpolld.socketsystemd-modules-load.servicecryptsetup.targetselinux-autorelabel-mark.servicesystemd-update-done.servicedracut-shutdown.servicesystemd-journal-catalog-update.servicemultipathd.servicesystemd-hwdb-update.servicesystemd-sysctl.servicedev-mqueue.mountimport-state.servicesystemd-update-utmp.servicenis-domainname.serviceswap.targetlvm2-monitor.servicesystemd-journald.servicesystemd-tmpfiles-setup.servicesystemd-tmpfiles-setup-dev.serviceproc-sys-fs-binfmt_misc.automountloadmodules.servicesystemd-binfmt.servicekmod-static-nodes.servicesystemd-journal-flush.servicesystemd-machine-id-commit.servicesys-fs-fuse-connections.mountsys-kernel-config.mountldconfig.servicesystemd-udev-trigger.servicesystemd-firstboot.servicelocal-fs.targetboot.mountusr.mounthome.mounttmp.mountboot-efi.mountmnt.mountsystemd-remount-fs.servicesystemd-random-seed.servicesystemd-sysusers.servicetimers.targetunbound-anchor.timerdnf-makecache.timersystemd-tmpfiles-clean.timermlocate-updatedb.timersockets.targetsystemd-journald.socketdbus.socketiscsiuio.socketsssd-kcm.socketdm-event.socketsystemd-journald-dev-log.socketmultipathd.socketiscsid.socketsystemd-udevd-control.socketsystemd-udevd-kernel.socketsystemd-initctl.socketsystemd-coredump.socketpaths.targetslices.target-.slicesystem.slicesmartd.serviceNetworkManager.servicenftables.servicewaagent.servicelibstoragemgmt.servicevdo.servicetuned.servicerhsmcertd.servicedbus.servicesystemd-update-utmp-runlevel.servicechronyd.servicefirewalld.servicekdump.serviceremote-fs.targetiscsi.servicesshd.servicecrond.servicesystemd-ask-password-wall.pathgetty.targetgetty@tty1.serviceserial-getty@ttyS0.servicemdmonitor.servicesystemd-user-sessions.servicesystemd-logind.serviceauditd.servicesystemd-resolved.servicecloud-init.targetcloud-init-local.servicecloud-init.servicecloud-config.servicecloud-final.servicemcelog.servicesssd.servicersyslog.serviceatd.serviceirqbalance.service

systemd test  oval:ssg-test_multi_user_wants_firewalld_socket:tst:1  false

Following items have been found on the system:
UnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
multi-user.targetbasic.targetvar.mount-.mountsysinit.targetdev-hugepages.mountsystemd-ask-password-console.pathsys-kernel-debug.mountrngd.serviceiscsi-onboot.servicesystemd-udevd.servicelvm2-lvmpolld.socketsystemd-modules-load.servicecryptsetup.targetselinux-autorelabel-mark.servicesystemd-update-done.servicedracut-shutdown.servicesystemd-journal-catalog-update.servicemultipathd.servicesystemd-hwdb-update.servicesystemd-sysctl.servicedev-mqueue.mountimport-state.servicesystemd-update-utmp.servicenis-domainname.serviceswap.targetlvm2-monitor.servicesystemd-journald.servicesystemd-tmpfiles-setup.servicesystemd-tmpfiles-setup-dev.serviceproc-sys-fs-binfmt_misc.automountloadmodules.servicesystemd-binfmt.servicekmod-static-nodes.servicesystemd-journal-flush.servicesystemd-machine-id-commit.servicesys-fs-fuse-connections.mountsys-kernel-config.mountldconfig.servicesystemd-udev-trigger.servicesystemd-firstboot.servicelocal-fs.targetboot.mountusr.mounthome.mounttmp.mountboot-efi.mountmnt.mountsystemd-remount-fs.servicesystemd-random-seed.servicesystemd-sysusers.servicetimers.targetunbound-anchor.timerdnf-makecache.timersystemd-tmpfiles-clean.timermlocate-updatedb.timersockets.targetsystemd-journald.socketdbus.socketiscsiuio.socketsssd-kcm.socketdm-event.socketsystemd-journald-dev-log.socketmultipathd.socketiscsid.socketsystemd-udevd-control.socketsystemd-udevd-kernel.socketsystemd-initctl.socketsystemd-coredump.socketpaths.targetslices.target-.slicesystem.slicesmartd.serviceNetworkManager.servicenftables.servicewaagent.servicelibstoragemgmt.servicevdo.servicetuned.servicerhsmcertd.servicedbus.servicesystemd-update-utmp-runlevel.servicechronyd.servicefirewalld.servicekdump.serviceremote-fs.targetiscsi.servicesshd.servicecrond.servicesystemd-ask-password-wall.pathgetty.targetgetty@tty1.serviceserial-getty@ttyS0.servicemdmonitor.servicesystemd-user-sessions.servicesystemd-logind.serviceauditd.servicesystemd-resolved.servicecloud-init.targetcloud-init-local.servicecloud-init.servicecloud-config.servicecloud-final.servicemcelog.servicesssd.servicersyslog.serviceatd.serviceirqbalance.service
Set Default firewalld Zone for Incoming Packetsxccdf_org.ssgproject.content_rule_set_firewalld_default_zone mediumCCE-80890-7

Set Default firewalld Zone for Incoming Packets

Rule IDxccdf_org.ssgproject.content_rule_set_firewalld_default_zone
Result
fail
Multi-check ruleno
OVAL Definition IDoval:ssg-set_firewalld_default_zone:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80890-7

References:  11, 14, 3, 9, 5.10.1, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.1.3, 3.4.7, 3.13.6, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, 1416, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CA-3(5), CM-7(b), SC-7(23), CM-6(a), PR.IP-1, PR.PT-3, FMT_MOF_EXT.1, SRG-OS-000480-GPOS-00227, SRG-OS-000480-VMM-002000, 3.4.1.5

Description
To set the default zone to drop for the built-in default zone which processes incoming IPv4 and IPv6 packets, modify the following line in /etc/firewalld/firewalld.conf to be:
DefaultZone=drop
Rationale
In firewalld the default zone is applied only after all the applicable rules in the table are examined for a match. Setting the default zone to drop implements proper design for a firewall, i.e. any packets which are not explicitly permitted should not be accepted.
Warnings
warning  To prevent denying any access to the system, automatic remediation of this control is not available. Remediation must be automated as a component of machine provisioning, or followed manually as outlined above.
OVAL test results details

Check /etc/firewalld/firewalld.conf DefaultZone for drop  oval:ssg-test_firewalld_input_drop:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-obj_firewalld_input_drop:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/firewalld/firewalld.conf^DefaultZone=drop$1
Set Default ip6tables Policy for Incoming Packetsxccdf_org.ssgproject.content_rule_set_ip6tables_default_rule mediumCCE-85965-2

Set Default ip6tables Policy for Incoming Packets

Rule IDxccdf_org.ssgproject.content_rule_set_ip6tables_default_rule
Result
notchecked
Multi-check ruleno
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-85965-2

References:  11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CIP-003-8 R4, CIP-003-8 R5, CIP-004-6 R3, AC-4, CM-7(b), CA-3(5), SC-7(21), CM-6(a), PR.IP-1, PR.PT-3, 3.4.3.3.4

Description
To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in /etc/sysconfig/ip6tables:
:INPUT DROP [0:0]
If changes were required, reload the ip6tables rules:
$ sudo service ip6tables reload
Rationale
In ip6tables, the default policy is applied only after all the applicable rules in the table are examined for a match. Setting the default policy to DROP implements proper design for a firewall, i.e. any packets which are not explicitly permitted should not be accepted.
Evaluation messages
info 
No candidate or applicable check found.
Configure Accepting Router Advertisements on All IPv6 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra mediumCCE-81006-9

Configure Accepting Router Advertisements on All IPv6 Interfaces

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_net_ipv6_conf_all_accept_ra:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-81006-9

References:  11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.1.20, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-040261, 3.3.9, SV-230541r833351_rule

Description
To set the runtime status of the net.ipv6.conf.all.accept_ra kernel parameter, run the following command:
$ sudo sysctl -w net.ipv6.conf.all.accept_ra=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv6.conf.all.accept_ra = 0
Rationale
An illicit router advertisement message could result in a man-in-the-middle attack.
OVAL test results details

net.ipv6.conf.all.disable_ipv6 static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_sysctl_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/sysctl.conf^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_etc_sysctld:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_etc_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$1

net.ipv6.conf.all.disable_ipv6 static configuration in /run/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_run_sysctld:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$1

Check that only one file contains net_ipv6_conf_all_disable_ipv6  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_defined_in_one_file:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_sysctl_net_ipv6_conf_all_disable_ipv6_defined_in_one_file:obj:1 of type variable_object
Var ref
oval:ssg-local_var_sysctl_net_ipv6_conf_all_disable_ipv6_counter:var:1

kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_runtime:tst:1  false

Following items have been found on the system:
NameValue
net.ipv6.conf.all.disable_ipv60

net.ipv6.conf.all.accept_ra static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_accept_ra_static:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.confnet.ipv6.conf.all.accept_ra=0

net.ipv6.conf.all.accept_ra static configuration in /etc/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_accept_ra_static_etc_sysctld:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.d/99-sysctl.confnet.ipv6.conf.all.accept_ra=0

net.ipv6.conf.all.accept_ra static configuration in /run/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_accept_ra_static_run_sysctld:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_all_accept_ra:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.all.accept_ra[\s]*=[\s]*(.*)[\s]*$1

Check that only one file contains net_ipv6_conf_all_accept_ra  oval:ssg-test_sysctl_net_ipv6_conf_all_accept_ra_defined_in_one_file:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-local_var_sysctl_net_ipv6_conf_all_accept_ra_counter:var:11

kernel runtime parameter net.ipv6.conf.all.accept_ra set to the appropriate value  oval:ssg-test_sysctl_net_ipv6_conf_all_accept_ra_runtime:tst:1  true

Following items have been found on the system:
NameValue
net.ipv6.conf.all.accept_ra0
Disable Accepting ICMP Redirects for All IPv6 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects mediumCCE-81009-3

Disable Accepting ICMP Redirects for All IPv6 Interfaces

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_net_ipv6_conf_all_accept_redirects:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-81009-3

References:  BP28(R22), 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.1.20, CCI-000366, CCI-001551, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), CM-6(b), CM-6.1(iv), PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-040280, 3.3.2, SV-230544r833357_rule

Description
To set the runtime status of the net.ipv6.conf.all.accept_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv6.conf.all.accept_redirects = 0
Rationale
An illicit ICMP redirect message could result in a man-in-the-middle attack.
OVAL test results details

net.ipv6.conf.all.disable_ipv6 static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_sysctl_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/sysctl.conf^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_etc_sysctld:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_etc_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$1

net.ipv6.conf.all.disable_ipv6 static configuration in /run/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_run_sysctld:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$1

Check that only one file contains net_ipv6_conf_all_disable_ipv6  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_defined_in_one_file:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_sysctl_net_ipv6_conf_all_disable_ipv6_defined_in_one_file:obj:1 of type variable_object
Var ref
oval:ssg-local_var_sysctl_net_ipv6_conf_all_disable_ipv6_counter:var:1

kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_runtime:tst:1  false

Following items have been found on the system:
NameValue
net.ipv6.conf.all.disable_ipv60

net.ipv6.conf.all.accept_redirects static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_accept_redirects_static:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.confnet.ipv6.conf.all.accept_redirects=0

net.ipv6.conf.all.accept_redirects static configuration in /etc/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_accept_redirects_static_etc_sysctld:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.d/99-sysctl.confnet.ipv6.conf.all.accept_redirects=0

net.ipv6.conf.all.accept_redirects static configuration in /run/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_accept_redirects_static_run_sysctld:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_all_accept_redirects:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.all.accept_redirects[\s]*=[\s]*(.*)[\s]*$1

Check that only one file contains net_ipv6_conf_all_accept_redirects  oval:ssg-test_sysctl_net_ipv6_conf_all_accept_redirects_defined_in_one_file:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-local_var_sysctl_net_ipv6_conf_all_accept_redirects_counter:var:11

kernel runtime parameter net.ipv6.conf.all.accept_redirects set to the appropriate value  oval:ssg-test_sysctl_net_ipv6_conf_all_accept_redirects_runtime:tst:1  true

Following items have been found on the system:
NameValue
net.ipv6.conf.all.accept_redirects0
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route mediumCCE-81013-5

Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_net_ipv6_conf_all_accept_source_route:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-81013-5

References:  BP28(R22), 1, 12, 13, 14, 15, 16, 18, 4, 6, 8, 9, APO01.06, APO13.01, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.07, DSS06.02, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.4.3.3, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), DE.AE-1, ID.AM-3, PR.AC-5, PR.DS-5, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040240, 3.3.1, SV-230538r833346_rule

Description
To set the runtime status of the net.ipv6.conf.all.accept_source_route kernel parameter, run the following command:
$ sudo sysctl -w net.ipv6.conf.all.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv6.conf.all.accept_source_route = 0
Rationale
Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router.

Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It should be disabled unless it is absolutely required.
OVAL test results details

net.ipv6.conf.all.disable_ipv6 static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_sysctl_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/sysctl.conf^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_etc_sysctld:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_etc_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$1

net.ipv6.conf.all.disable_ipv6 static configuration in /run/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_run_sysctld:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$1

Check that only one file contains net_ipv6_conf_all_disable_ipv6  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_defined_in_one_file:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_sysctl_net_ipv6_conf_all_disable_ipv6_defined_in_one_file:obj:1 of type variable_object
Var ref
oval:ssg-local_var_sysctl_net_ipv6_conf_all_disable_ipv6_counter:var:1

kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_runtime:tst:1  false

Following items have been found on the system:
NameValue
net.ipv6.conf.all.disable_ipv60

net.ipv6.conf.all.accept_source_route static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_accept_source_route_static:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.confnet.ipv6.conf.all.accept_source_route=0

net.ipv6.conf.all.accept_source_route static configuration in /etc/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_accept_source_route_static_etc_sysctld:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.d/99-sysctl.confnet.ipv6.conf.all.accept_source_route=0

net.ipv6.conf.all.accept_source_route static configuration in /run/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_accept_source_route_static_run_sysctld:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_all_accept_source_route:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.all.accept_source_route[\s]*=[\s]*(.*)[\s]*$1

Check that only one file contains net_ipv6_conf_all_accept_source_route  oval:ssg-test_sysctl_net_ipv6_conf_all_accept_source_route_defined_in_one_file:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-local_var_sysctl_net_ipv6_conf_all_accept_source_route_counter:var:11

kernel runtime parameter net.ipv6.conf.all.accept_source_route set to the appropriate value  oval:ssg-test_sysctl_net_ipv6_conf_all_accept_source_route_runtime:tst:1  true

Following items have been found on the system:
NameValue
net.ipv6.conf.all.accept_source_route0
Disable Kernel Parameter for IPv6 Forwardingxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding mediumCCE-82863-2

Disable Kernel Parameter for IPv6 Forwarding

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_net_ipv6_conf_all_forwarding:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82863-2

References:  1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, DSS06.06, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), CM-6(b), CM-6.1(iv), DE.CM-1, PR.DS-4, PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-040260, 3.2.1, SV-230540r833349_rule

Description
To set the runtime status of the net.ipv6.conf.all.forwarding kernel parameter, run the following command:
$ sudo sysctl -w net.ipv6.conf.all.forwarding=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv6.conf.all.forwarding = 0
Rationale
IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers.
OVAL test results details

net.ipv6.conf.all.disable_ipv6 static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_sysctl_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/sysctl.conf^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_etc_sysctld:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_etc_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$1

net.ipv6.conf.all.disable_ipv6 static configuration in /run/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_run_sysctld:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$1

Check that only one file contains net_ipv6_conf_all_disable_ipv6  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_defined_in_one_file:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_sysctl_net_ipv6_conf_all_disable_ipv6_defined_in_one_file:obj:1 of type variable_object
Var ref
oval:ssg-local_var_sysctl_net_ipv6_conf_all_disable_ipv6_counter:var:1

kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_runtime:tst:1  false

Following items have been found on the system:
NameValue
net.ipv6.conf.all.disable_ipv60

net.ipv6.conf.all.forwarding static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_forwarding_static:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.confnet.ipv6.conf.all.forwarding=0

net.ipv6.conf.all.forwarding static configuration in /etc/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_forwarding_static_etc_sysctld:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.d/99-sysctl.confnet.ipv6.conf.all.forwarding=0

net.ipv6.conf.all.forwarding static configuration in /run/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_forwarding_static_run_sysctld:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_all_forwarding:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.all.forwarding[\s]*=[\s]*(.*)[\s]*$1

Check that only one file contains net_ipv6_conf_all_forwarding  oval:ssg-test_sysctl_net_ipv6_conf_all_forwarding_defined_in_one_file:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-local_var_sysctl_net_ipv6_conf_all_forwarding_counter:var:11

kernel runtime parameter net.ipv6.conf.all.forwarding set to the appropriate value  oval:ssg-test_sysctl_net_ipv6_conf_all_forwarding_runtime:tst:1  true

Following items have been found on the system:
NameValue
net.ipv6.conf.all.forwarding0
Disable Accepting Router Advertisements on all IPv6 Interfaces by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra mediumCCE-81007-7

Disable Accepting Router Advertisements on all IPv6 Interfaces by Default

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_net_ipv6_conf_default_accept_ra:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-81007-7

References:  11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.1.20, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-040262, 3.3.9, SV-230542r833353_rule

Description
To set the runtime status of the net.ipv6.conf.default.accept_ra kernel parameter, run the following command:
$ sudo sysctl -w net.ipv6.conf.default.accept_ra=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv6.conf.default.accept_ra = 0
Rationale
An illicit router advertisement message could result in a man-in-the-middle attack.
OVAL test results details

net.ipv6.conf.all.disable_ipv6 static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_sysctl_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/sysctl.conf^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_etc_sysctld:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_etc_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$1

net.ipv6.conf.all.disable_ipv6 static configuration in /run/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_run_sysctld:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$1

Check that only one file contains net_ipv6_conf_all_disable_ipv6  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_defined_in_one_file:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_sysctl_net_ipv6_conf_all_disable_ipv6_defined_in_one_file:obj:1 of type variable_object
Var ref
oval:ssg-local_var_sysctl_net_ipv6_conf_all_disable_ipv6_counter:var:1

kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_runtime:tst:1  false

Following items have been found on the system:
NameValue
net.ipv6.conf.all.disable_ipv60

net.ipv6.conf.default.accept_ra static configuration  oval:ssg-test_sysctl_net_ipv6_conf_default_accept_ra_static:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.confnet.ipv6.conf.default.accept_ra=0

net.ipv6.conf.default.accept_ra static configuration in /etc/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_default_accept_ra_static_etc_sysctld:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.d/99-sysctl.confnet.ipv6.conf.default.accept_ra=0

net.ipv6.conf.default.accept_ra static configuration in /run/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_default_accept_ra_static_run_sysctld:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_default_accept_ra:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.default.accept_ra[\s]*=[\s]*(.*)[\s]*$1

Check that only one file contains net_ipv6_conf_default_accept_ra  oval:ssg-test_sysctl_net_ipv6_conf_default_accept_ra_defined_in_one_file:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-local_var_sysctl_net_ipv6_conf_default_accept_ra_counter:var:11

kernel runtime parameter net.ipv6.conf.default.accept_ra set to the appropriate value  oval:ssg-test_sysctl_net_ipv6_conf_default_accept_ra_runtime:tst:1  true

Following items have been found on the system:
NameValue
net.ipv6.conf.default.accept_ra0
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects mediumCCE-81010-1

Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_net_ipv6_conf_default_accept_redirects:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-81010-1

References:  BP28(R22), 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.1.20, CCI-000366, CCI-001551, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-040210, 3.3.2, SV-230535r833340_rule

Description
To set the runtime status of the net.ipv6.conf.default.accept_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv6.conf.default.accept_redirects = 0
Rationale
An illicit ICMP redirect message could result in a man-in-the-middle attack.
OVAL test results details

net.ipv6.conf.all.disable_ipv6 static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_sysctl_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/sysctl.conf^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_etc_sysctld:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_etc_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$1

net.ipv6.conf.all.disable_ipv6 static configuration in /run/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_run_sysctld:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$1

Check that only one file contains net_ipv6_conf_all_disable_ipv6  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_defined_in_one_file:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_sysctl_net_ipv6_conf_all_disable_ipv6_defined_in_one_file:obj:1 of type variable_object
Var ref
oval:ssg-local_var_sysctl_net_ipv6_conf_all_disable_ipv6_counter:var:1

kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_runtime:tst:1  false

Following items have been found on the system:
NameValue
net.ipv6.conf.all.disable_ipv60

net.ipv6.conf.default.accept_redirects static configuration  oval:ssg-test_sysctl_net_ipv6_conf_default_accept_redirects_static:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.confnet.ipv6.conf.default.accept_redirects=0

net.ipv6.conf.default.accept_redirects static configuration in /etc/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_default_accept_redirects_static_etc_sysctld:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.d/99-sysctl.confnet.ipv6.conf.default.accept_redirects=0

net.ipv6.conf.default.accept_redirects static configuration in /run/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_default_accept_redirects_static_run_sysctld:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_default_accept_redirects:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.default.accept_redirects[\s]*=[\s]*(.*)[\s]*$1

Check that only one file contains net_ipv6_conf_default_accept_redirects  oval:ssg-test_sysctl_net_ipv6_conf_default_accept_redirects_defined_in_one_file:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-local_var_sysctl_net_ipv6_conf_default_accept_redirects_counter:var:11

kernel runtime parameter net.ipv6.conf.default.accept_redirects set to the appropriate value  oval:ssg-test_sysctl_net_ipv6_conf_default_accept_redirects_runtime:tst:1  true

Following items have been found on the system:
NameValue
net.ipv6.conf.default.accept_redirects0
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route mediumCCE-81015-0

Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_net_ipv6_conf_default_accept_source_route:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-81015-0

References:  BP28(R22), 1, 12, 13, 14, 15, 16, 18, 4, 6, 8, 9, APO01.06, APO13.01, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.07, DSS06.02, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.4.3.3, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), CM-6(b), CM-6.1(iv), DE.AE-1, ID.AM-3, PR.AC-5, PR.DS-5, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040250, 3.3.1, SV-230539r838722_rule

Description
To set the runtime status of the net.ipv6.conf.default.accept_source_route kernel parameter, run the following command:
$ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv6.conf.default.accept_source_route = 0
Rationale
Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and the system is functioning as a router. Accepting source-routed packets in the IPv6 protocol has few legitimate uses. It should be disabled unless it is absolutely required.
OVAL test results details

net.ipv6.conf.all.disable_ipv6 static configuration  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_sysctl_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/sysctl.conf^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$1

net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_etc_sysctld:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_etc_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$1

net.ipv6.conf.all.disable_ipv6 static configuration in /run/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_run_sysctld:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$1

Check that only one file contains net_ipv6_conf_all_disable_ipv6  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_defined_in_one_file:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_sysctl_net_ipv6_conf_all_disable_ipv6_defined_in_one_file:obj:1 of type variable_object
Var ref
oval:ssg-local_var_sysctl_net_ipv6_conf_all_disable_ipv6_counter:var:1

kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1  oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_runtime:tst:1  false

Following items have been found on the system:
NameValue
net.ipv6.conf.all.disable_ipv60

net.ipv6.conf.default.accept_source_route static configuration  oval:ssg-test_sysctl_net_ipv6_conf_default_accept_source_route_static:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.confnet.ipv6.conf.default.accept_source_route=0

net.ipv6.conf.default.accept_source_route static configuration in /etc/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_default_accept_source_route_static_etc_sysctld:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.d/99-sysctl.confnet.ipv6.conf.default.accept_source_route=0

net.ipv6.conf.default.accept_source_route static configuration in /run/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv6_conf_default_accept_source_route_static_run_sysctld:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_default_accept_source_route:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/sysctl.d^.*\.conf$^[\s]*net.ipv6.conf.default.accept_source_route[\s]*=[\s]*(.*)[\s]*$1

Check that only one file contains net_ipv6_conf_default_accept_source_route  oval:ssg-test_sysctl_net_ipv6_conf_default_accept_source_route_defined_in_one_file:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-local_var_sysctl_net_ipv6_conf_default_accept_source_route_counter:var:11

kernel runtime parameter net.ipv6.conf.default.accept_source_route set to the appropriate value  oval:ssg-test_sysctl_net_ipv6_conf_default_accept_source_route_runtime:tst:1  true

Following items have been found on the system:
NameValue
net.ipv6.conf.default.accept_source_route0
Disable Accepting ICMP Redirects for All IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects mediumCCE-80917-8

Disable Accepting ICMP Redirects for All IPv4 Interfaces

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_net_ipv4_conf_all_accept_redirects:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80917-8

References:  BP28(R22), 1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9, 5.10.1.1, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, DSS06.06, 3.1.20, CCI-000366, CCI-001503, CCI-001551, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), SC-7(a), DE.CM-1, PR.DS-4, PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-040279, 3.3.2, SV-244553r833379_rule

Description
To set the runtime status of the net.ipv4.conf.all.accept_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.all.accept_redirects = 0
Rationale
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required."
OVAL test results details

net.ipv4.conf.all.accept_redirects static configuration  oval:ssg-test_sysctl_net_ipv4_conf_all_accept_redirects_static:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.confnet.ipv4.conf.all.accept_redirects=0

net.ipv4.conf.all.accept_redirects static configuration in /etc/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_conf_all_accept_redirects_static_etc_sysctld:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.d/99-sysctl.confnet.ipv4.conf.all.accept_redirects=0

net.ipv4.conf.all.accept_redirects static configuration in /run/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_conf_all_accept_redirects_static_run_sysctld:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_all_accept_redirects:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/sysctl.d^.*\.conf$^[\s]*net.ipv4.conf.all.accept_redirects[\s]*=[\s]*(.*)[\s]*$1

Check that only one file contains net_ipv4_conf_all_accept_redirects  oval:ssg-test_sysctl_net_ipv4_conf_all_accept_redirects_defined_in_one_file:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-local_var_sysctl_net_ipv4_conf_all_accept_redirects_counter:var:11

kernel runtime parameter net.ipv4.conf.all.accept_redirects set to the appropriate value  oval:ssg-test_sysctl_net_ipv4_conf_all_accept_redirects_runtime:tst:1  true

Following items have been found on the system:
NameValue
net.ipv4.conf.all.accept_redirects0
Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route mediumCCE-81011-9

Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_net_ipv4_conf_all_accept_source_route:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-81011-9

References:  BP28(R22), 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040239, 3.3.1, SV-244551r833375_rule

Description
To set the runtime status of the net.ipv4.conf.all.accept_source_route kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.all.accept_source_route = 0
Rationale
Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures. This requirement applies only to the forwarding of source-routerd traffic, such as when IPv4 forwarding is enabled and the system is functioning as a router.

Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required.
OVAL test results details

net.ipv4.conf.all.accept_source_route static configuration  oval:ssg-test_sysctl_net_ipv4_conf_all_accept_source_route_static:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.confnet.ipv4.conf.all.accept_source_route=0

net.ipv4.conf.all.accept_source_route static configuration in /etc/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_conf_all_accept_source_route_static_etc_sysctld:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.d/99-sysctl.confnet.ipv4.conf.all.accept_source_route=0

net.ipv4.conf.all.accept_source_route static configuration in /run/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_conf_all_accept_source_route_static_run_sysctld:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_all_accept_source_route:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/sysctl.d^.*\.conf$^[\s]*net.ipv4.conf.all.accept_source_route[\s]*=[\s]*(.*)[\s]*$1

Check that only one file contains net_ipv4_conf_all_accept_source_route  oval:ssg-test_sysctl_net_ipv4_conf_all_accept_source_route_defined_in_one_file:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-local_var_sysctl_net_ipv4_conf_all_accept_source_route_counter:var:11

kernel runtime parameter net.ipv4.conf.all.accept_source_route set to the appropriate value  oval:ssg-test_sysctl_net_ipv4_conf_all_accept_source_route_runtime:tst:1  true

Following items have been found on the system:
NameValue
net.ipv4.conf.all.accept_source_route0
Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians unknownCCE-81018-4

Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_net_ipv4_conf_all_log_martians:def:1
Time2022-11-07T15:05:18+00:00
Severityunknown
Identifiers and References

Identifiers:  CCE-81018-4

References:  BP28(R22), 1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.04, DSS03.05, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.06, 3.1.20, CCI-000126, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.11.2.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), SC-5(3)(a), DE.CM-1, PR.AC-3, PR.DS-4, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, 3.3.4

Description
To set the runtime status of the net.ipv4.conf.all.log_martians kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.all.log_martians=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.all.log_martians = 1
Rationale
The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected.
OVAL test results details

net.ipv4.conf.all.log_martians static configuration  oval:ssg-test_sysctl_net_ipv4_conf_all_log_martians_static:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.confnet.ipv4.conf.all.log_martians=1

net.ipv4.conf.all.log_martians static configuration in /etc/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_conf_all_log_martians_static_etc_sysctld:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.d/99-sysctl.confnet.ipv4.conf.all.log_martians=1

net.ipv4.conf.all.log_martians static configuration in /run/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_conf_all_log_martians_static_run_sysctld:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_all_log_martians:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/sysctl.d^.*\.conf$^[\s]*net.ipv4.conf.all.log_martians[\s]*=[\s]*(.*)[\s]*$1

Check that only one file contains net_ipv4_conf_all_log_martians  oval:ssg-test_sysctl_net_ipv4_conf_all_log_martians_defined_in_one_file:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-local_var_sysctl_net_ipv4_conf_all_log_martians_counter:var:11

kernel runtime parameter net.ipv4.conf.all.log_martians set to the appropriate value  oval:ssg-test_sysctl_net_ipv4_conf_all_log_martians_runtime:tst:1  true

Following items have been found on the system:
NameValue
net.ipv4.conf.all.log_martians1
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter mediumCCE-81021-8

Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_net_ipv4_conf_all_rp_filter:def:1
Time2022-11-07T15:05:18+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-81021-8

References:  BP28(R22), 1, 12, 13, 14, 15, 16, 18, 2, 4, 6, 7, 8, 9, APO01.06, APO13.01, BAI04.04, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.07, DSS06.02, 3.1.20, CCI-000366, CCI-001551, 4.2.3.4, 4.3.3.4, 4.4.3.3, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040285, 3.3.7, SV-230549r833367_rule

Description
To set the runtime status of the net.ipv4.conf.all.rp_filter kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.all.rp_filter=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.all.rp_filter = 1
Rationale
Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.
OVAL test results details

net.ipv4.conf.all.rp_filter static configuration  oval:ssg-test_sysctl_net_ipv4_conf_all_rp_filter_static:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.confnet.ipv4.conf.all.rp_filter=1

net.ipv4.conf.all.rp_filter static configuration in /etc/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_conf_all_rp_filter_static_etc_sysctld:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.d/99-sysctl.confnet.ipv4.conf.all.rp_filter=1

net.ipv4.conf.all.rp_filter static configuration in /run/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_conf_all_rp_filter_static_run_sysctld:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_all_rp_filter:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/sysctl.d^.*\.conf$^[\s]*net.ipv4.conf.all.rp_filter[\s]*=[\s]*(.*)[\s]*$1

Check that only one file contains net_ipv4_conf_all_rp_filter  oval:ssg-test_sysctl_net_ipv4_conf_all_rp_filter_defined_in_one_file:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-local_var_sysctl_net_ipv4_conf_all_rp_filter_counter:var:11

kernel runtime parameter net.ipv4.conf.all.rp_filter set to 1 or 2  oval:ssg-test_sysctl_net_ipv4_conf_all_rp_filter_runtime:tst:1  true

Following items have been found on the system:
NameValue
net.ipv4.conf.all.rp_filter1
Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects mediumCCE-81016-8

Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_net_ipv4_conf_all_secure_redirects:def:1
Time2022-11-07T15:05:19+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-81016-8

References:  BP28(R22), 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-001503, CCI-001551, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, 3.3.3

Description
To set the runtime status of the net.ipv4.conf.all.secure_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.all.secure_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.all.secure_redirects = 0
Rationale
Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.
OVAL test results details

net.ipv4.conf.all.secure_redirects static configuration  oval:ssg-test_sysctl_net_ipv4_conf_all_secure_redirects_static:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.confnet.ipv4.conf.all.secure_redirects=0

net.ipv4.conf.all.secure_redirects static configuration in /etc/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_conf_all_secure_redirects_static_etc_sysctld:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.d/99-sysctl.confnet.ipv4.conf.all.secure_redirects=0

net.ipv4.conf.all.secure_redirects static configuration in /run/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_conf_all_secure_redirects_static_run_sysctld:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_all_secure_redirects:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/sysctl.d^.*\.conf$^[\s]*net.ipv4.conf.all.secure_redirects[\s]*=[\s]*(.*)[\s]*$1

Check that only one file contains net_ipv4_conf_all_secure_redirects  oval:ssg-test_sysctl_net_ipv4_conf_all_secure_redirects_defined_in_one_file:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-local_var_sysctl_net_ipv4_conf_all_secure_redirects_counter:var:11

kernel runtime parameter net.ipv4.conf.all.secure_redirects set to the appropriate value  oval:ssg-test_sysctl_net_ipv4_conf_all_secure_redirects_runtime:tst:1  true

Following items have been found on the system:
NameValue
net.ipv4.conf.all.secure_redirects0
Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects mediumCCE-80919-4

Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_net_ipv4_conf_default_accept_redirects:def:1
Time2022-11-07T15:05:19+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80919-4

References:  BP28(R22), 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, CCI-001551, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040209, 3.3.2, SV-244550r833373_rule

Description
To set the runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.default.accept_redirects = 0
Rationale
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated. An illicit ICMP redirect message could result in a man-in-the-middle attack.
This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless absolutely required.
OVAL test results details

net.ipv4.conf.default.accept_redirects static configuration  oval:ssg-test_sysctl_net_ipv4_conf_default_accept_redirects_static:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.confnet.ipv4.conf.default.accept_redirects=0

net.ipv4.conf.default.accept_redirects static configuration in /etc/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_conf_default_accept_redirects_static_etc_sysctld:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.d/99-sysctl.confnet.ipv4.conf.default.accept_redirects=0

net.ipv4.conf.default.accept_redirects static configuration in /run/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_conf_default_accept_redirects_static_run_sysctld:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_default_accept_redirects:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/sysctl.d^.*\.conf$^[\s]*net.ipv4.conf.default.accept_redirects[\s]*=[\s]*(.*)[\s]*$1

Check that only one file contains net_ipv4_conf_default_accept_redirects  oval:ssg-test_sysctl_net_ipv4_conf_default_accept_redirects_defined_in_one_file:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-local_var_sysctl_net_ipv4_conf_default_accept_redirects_counter:var:11

kernel runtime parameter net.ipv4.conf.default.accept_redirects set to the appropriate value  oval:ssg-test_sysctl_net_ipv4_conf_default_accept_redirects_runtime:tst:1  true

Following items have been found on the system:
NameValue
net.ipv4.conf.default.accept_redirects0
Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route mediumCCE-80920-2

Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_net_ipv4_conf_default_accept_source_route:def:1
Time2022-11-07T15:05:19+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80920-2

References:  BP28(R22), 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, CCI-001551, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040249, 3.3.1, SV-244552r833377_rule

Description
To set the runtime status of the net.ipv4.conf.default.accept_source_route kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.default.accept_source_route = 0
Rationale
Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures.
Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required, such as when IPv4 forwarding is enabled and the system is legitimately functioning as a router.
OVAL test results details

net.ipv4.conf.default.accept_source_route static configuration  oval:ssg-test_sysctl_net_ipv4_conf_default_accept_source_route_static:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.confnet.ipv4.conf.default.accept_source_route=0

net.ipv4.conf.default.accept_source_route static configuration in /etc/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_conf_default_accept_source_route_static_etc_sysctld:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.d/99-sysctl.confnet.ipv4.conf.default.accept_source_route=0

net.ipv4.conf.default.accept_source_route static configuration in /run/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_conf_default_accept_source_route_static_run_sysctld:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_default_accept_source_route:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/sysctl.d^.*\.conf$^[\s]*net.ipv4.conf.default.accept_source_route[\s]*=[\s]*(.*)[\s]*$1

Check that only one file contains net_ipv4_conf_default_accept_source_route  oval:ssg-test_sysctl_net_ipv4_conf_default_accept_source_route_defined_in_one_file:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-local_var_sysctl_net_ipv4_conf_default_accept_source_route_counter:var:11

kernel runtime parameter net.ipv4.conf.default.accept_source_route set to the appropriate value  oval:ssg-test_sysctl_net_ipv4_conf_default_accept_source_route_runtime:tst:1  true

Following items have been found on the system:
NameValue
net.ipv4.conf.default.accept_source_route0
Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_log_martians unknownCCE-81020-0

Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_log_martians
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_net_ipv4_conf_default_log_martians:def:1
Time2022-11-07T15:05:19+00:00
Severityunknown
Identifiers and References

Identifiers:  CCE-81020-0

References:  1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.04, DSS03.05, DSS05.02, DSS05.03, DSS05.05, DSS05.07, DSS06.06, 3.1.20, CCI-000126, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.11.2.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), SC-5(3)(a), DE.CM-1, PR.AC-3, PR.DS-4, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, 3.3.4

Description
To set the runtime status of the net.ipv4.conf.default.log_martians kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.default.log_martians=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.default.log_martians = 1
Rationale
The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected.
OVAL test results details

net.ipv4.conf.default.log_martians static configuration  oval:ssg-test_sysctl_net_ipv4_conf_default_log_martians_static:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.confnet.ipv4.conf.default.log_martians=1

net.ipv4.conf.default.log_martians static configuration in /etc/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_conf_default_log_martians_static_etc_sysctld:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.d/99-sysctl.confnet.ipv4.conf.default.log_martians=1

net.ipv4.conf.default.log_martians static configuration in /run/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_conf_default_log_martians_static_run_sysctld:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_default_log_martians:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/sysctl.d^.*\.conf$^[\s]*net.ipv4.conf.default.log_martians[\s]*=[\s]*(.*)[\s]*$1

Check that only one file contains net_ipv4_conf_default_log_martians  oval:ssg-test_sysctl_net_ipv4_conf_default_log_martians_defined_in_one_file:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-local_var_sysctl_net_ipv4_conf_default_log_martians_counter:var:11

kernel runtime parameter net.ipv4.conf.default.log_martians set to the appropriate value  oval:ssg-test_sysctl_net_ipv4_conf_default_log_martians_runtime:tst:1  true

Following items have been found on the system:
NameValue
net.ipv4.conf.default.log_martians1
Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter mediumCCE-81022-6

Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_net_ipv4_conf_default_rp_filter:def:1
Time2022-11-07T15:05:19+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-81022-6

References:  BP28(R22), 1, 12, 13, 14, 15, 16, 18, 2, 4, 6, 7, 8, 9, APO01.06, APO13.01, BAI04.04, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.07, DSS06.02, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.4.3.3, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.PT-4, SRG-OS-000480-GPOS-00227, 3.3.7

Description
To set the runtime status of the net.ipv4.conf.default.rp_filter kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.default.rp_filter=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.default.rp_filter = 1
Rationale
Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks.
OVAL test results details

net.ipv4.conf.default.rp_filter static configuration  oval:ssg-test_sysctl_net_ipv4_conf_default_rp_filter_static:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.confnet.ipv4.conf.default.rp_filter=1

net.ipv4.conf.default.rp_filter static configuration in /etc/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_conf_default_rp_filter_static_etc_sysctld:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.d/99-sysctl.confnet.ipv4.conf.default.rp_filter=1

net.ipv4.conf.default.rp_filter static configuration in /run/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_conf_default_rp_filter_static_run_sysctld:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_default_rp_filter:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/sysctl.d^.*\.conf$^[\s]*net.ipv4.conf.default.rp_filter[\s]*=[\s]*(.*)[\s]*$1

Check that only one file contains net_ipv4_conf_default_rp_filter  oval:ssg-test_sysctl_net_ipv4_conf_default_rp_filter_defined_in_one_file:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-local_var_sysctl_net_ipv4_conf_default_rp_filter_counter:var:11

kernel runtime parameter net.ipv4.conf.default.rp_filter set to the appropriate value  oval:ssg-test_sysctl_net_ipv4_conf_default_rp_filter_runtime:tst:1  true

Following items have been found on the system:
NameValue
net.ipv4.conf.default.rp_filter1
Configure Kernel Parameter for Accepting Secure Redirects By Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects mediumCCE-81017-6

Configure Kernel Parameter for Accepting Secure Redirects By Default

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_net_ipv4_conf_default_secure_redirects:def:1
Time2022-11-07T15:05:19+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-81017-6

References:  BP28(R22), 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-001551, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, 3.3.3

Description
To set the runtime status of the net.ipv4.conf.default.secure_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.default.secure_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.default.secure_redirects = 0
Rationale
Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.
OVAL test results details

net.ipv4.conf.default.secure_redirects static configuration  oval:ssg-test_sysctl_net_ipv4_conf_default_secure_redirects_static:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.confnet.ipv4.conf.default.secure_redirects=0

net.ipv4.conf.default.secure_redirects static configuration in /etc/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_conf_default_secure_redirects_static_etc_sysctld:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.d/99-sysctl.confnet.ipv4.conf.default.secure_redirects=0

net.ipv4.conf.default.secure_redirects static configuration in /run/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_conf_default_secure_redirects_static_run_sysctld:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_default_secure_redirects:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/sysctl.d^.*\.conf$^[\s]*net.ipv4.conf.default.secure_redirects[\s]*=[\s]*(.*)[\s]*$1

Check that only one file contains net_ipv4_conf_default_secure_redirects  oval:ssg-test_sysctl_net_ipv4_conf_default_secure_redirects_defined_in_one_file:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-local_var_sysctl_net_ipv4_conf_default_secure_redirects_counter:var:11

kernel runtime parameter net.ipv4.conf.default.secure_redirects set to the appropriate value  oval:ssg-test_sysctl_net_ipv4_conf_default_secure_redirects_runtime:tst:1  true

Following items have been found on the system:
NameValue
net.ipv4.conf.default.secure_redirects0
Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts mediumCCE-80922-8

Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_net_ipv4_icmp_echo_ignore_broadcasts:def:1
Time2022-11-07T15:05:19+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80922-8

References:  1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040230, 3.3.5, SV-230537r833344_rule

Description
To set the runtime status of the net.ipv4.icmp_echo_ignore_broadcasts kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.icmp_echo_ignore_broadcasts = 1
Rationale
Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.
Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly more difficult to enumerate on the network.
OVAL test results details

net.ipv4.icmp_echo_ignore_broadcasts static configuration  oval:ssg-test_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_static:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.confnet.ipv4.icmp_echo_ignore_broadcasts=1

net.ipv4.icmp_echo_ignore_broadcasts static configuration in /etc/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_static_etc_sysctld:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.d/99-sysctl.confnet.ipv4.icmp_echo_ignore_broadcasts=1

net.ipv4.icmp_echo_ignore_broadcasts static configuration in /run/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_static_run_sysctld:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/sysctl.d^.*\.conf$^[\s]*net.ipv4.icmp_echo_ignore_broadcasts[\s]*=[\s]*(.*)[\s]*$1

Check that only one file contains net_ipv4_icmp_echo_ignore_broadcasts  oval:ssg-test_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_defined_in_one_file:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-local_var_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_counter:var:11

kernel runtime parameter net.ipv4.icmp_echo_ignore_broadcasts set to the appropriate value  oval:ssg-test_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_runtime:tst:1  true

Following items have been found on the system:
NameValue
net.ipv4.icmp_echo_ignore_broadcasts1
Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses unknownCCE-81023-4

Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_net_ipv4_icmp_ignore_bogus_error_responses:def:1
Time2022-11-07T15:05:19+00:00
Severityunknown
Identifiers and References

Identifiers:  CCE-81023-4

References:  BP28(R22), 1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, DSS06.06, 3.1.20, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.9.1.2, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, DE.CM-1, PR.DS-4, PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, 3.3.6

Description
To set the runtime status of the net.ipv4.icmp_ignore_bogus_error_responses kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.icmp_ignore_bogus_error_responses = 1
Rationale
Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged.
OVAL test results details

net.ipv4.icmp_ignore_bogus_error_responses static configuration  oval:ssg-test_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_static:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.confnet.ipv4.icmp_ignore_bogus_error_responses=1

net.ipv4.icmp_ignore_bogus_error_responses static configuration in /etc/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_static_etc_sysctld:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.d/99-sysctl.confnet.ipv4.icmp_ignore_bogus_error_responses=1

net.ipv4.icmp_ignore_bogus_error_responses static configuration in /run/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_static_run_sysctld:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/sysctl.d^.*\.conf$^[\s]*net.ipv4.icmp_ignore_bogus_error_responses[\s]*=[\s]*(.*)[\s]*$1

Check that only one file contains net_ipv4_icmp_ignore_bogus_error_responses  oval:ssg-test_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_defined_in_one_file:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-local_var_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_counter:var:11

kernel runtime parameter net.ipv4.icmp_ignore_bogus_error_responses set to the appropriate value  oval:ssg-test_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_runtime:tst:1  true

Following items have been found on the system:
NameValue
net.ipv4.icmp_ignore_bogus_error_responses1
Enable Kernel Parameter to Use TCP Syncookies on Network Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies mediumCCE-80923-6

Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_net_ipv4_tcp_syncookies:def:1
Time2022-11-07T15:05:19+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80923-6

References:  BP28(R22), 1, 12, 13, 14, 15, 16, 18, 2, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.07, DSS06.02, 3.1.20, CCI-000366, CCI-001095, 4.2.3.4, 4.3.3.4, 4.4.3.3, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), SC-5(1), SC-5(2), SC-5(3)(a), CM-6(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.PT-4, SRG-OS-000480-GPOS-00227, SRG-OS-000420-GPOS-00186, SRG-OS-000142-GPOS-00071, 3.3.8

Description
To set the runtime status of the net.ipv4.tcp_syncookies kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.tcp_syncookies=1
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.tcp_syncookies = 1
Rationale
A TCP SYN flood attack can cause a denial of service by filling a system's TCP connection table with connections in the SYN_RCVD state. Syncookies can be used to track a connection when a subsequent ACK is received, verifying the initiator is attempting a valid connection and is not a flood source. This feature is activated when a flood condition is detected, and enables the system to continue servicing valid connection requests.
OVAL test results details

net.ipv4.tcp_syncookies static configuration  oval:ssg-test_sysctl_net_ipv4_tcp_syncookies_static:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.confnet.ipv4.tcp_syncookies=1

net.ipv4.tcp_syncookies static configuration in /etc/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_tcp_syncookies_static_etc_sysctld:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.d/99-sysctl.confnet.ipv4.tcp_syncookies=1

net.ipv4.tcp_syncookies static configuration in /run/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_tcp_syncookies_static_run_sysctld:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_tcp_syncookies:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/sysctl.d^.*\.conf$^[\s]*net.ipv4.tcp_syncookies[\s]*=[\s]*(.*)[\s]*$1

Check that only one file contains net_ipv4_tcp_syncookies  oval:ssg-test_sysctl_net_ipv4_tcp_syncookies_defined_in_one_file:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-local_var_sysctl_net_ipv4_tcp_syncookies_counter:var:11

kernel runtime parameter net.ipv4.tcp_syncookies set to the appropriate value  oval:ssg-test_sysctl_net_ipv4_tcp_syncookies_runtime:tst:1  true

Following items have been found on the system:
NameValue
net.ipv4.tcp_syncookies1
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects mediumCCE-80918-6

Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_net_ipv4_conf_all_send_redirects:def:1
Time2022-11-07T15:05:19+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80918-6

References:  BP28(R22), 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040220, 3.2.2, SV-230536r833342_rule

Description
To set the runtime status of the net.ipv4.conf.all.send_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.all.send_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.all.send_redirects = 0
Rationale
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology.
The ability to send ICMP redirects is only appropriate for systems acting as routers.
OVAL test results details

net.ipv4.conf.all.send_redirects static configuration  oval:ssg-test_sysctl_net_ipv4_conf_all_send_redirects_static:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.confnet.ipv4.conf.all.send_redirects=0

net.ipv4.conf.all.send_redirects static configuration in /etc/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_conf_all_send_redirects_static_etc_sysctld:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.d/99-sysctl.confnet.ipv4.conf.all.send_redirects=0

net.ipv4.conf.all.send_redirects static configuration in /run/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_conf_all_send_redirects_static_run_sysctld:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_all_send_redirects:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/sysctl.d^.*\.conf$^[\s]*net.ipv4.conf.all.send_redirects[\s]*=[\s]*(.*)[\s]*$1

Check that only one file contains net_ipv4_conf_all_send_redirects  oval:ssg-test_sysctl_net_ipv4_conf_all_send_redirects_defined_in_one_file:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-local_var_sysctl_net_ipv4_conf_all_send_redirects_counter:var:11

kernel runtime parameter net.ipv4.conf.all.send_redirects set to 0  oval:ssg-test_sysctl_net_ipv4_conf_all_send_redirects_runtime:tst:1  true

Following items have been found on the system:
NameValue
net.ipv4.conf.all.send_redirects0
Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Defaultxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects mediumCCE-80921-0

Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_net_ipv4_conf_default_send_redirects:def:1
Time2022-11-07T15:05:19+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80921-0

References:  BP28(R22), 1, 11, 12, 13, 14, 15, 16, 18, 2, 3, 4, 6, 7, 8, 9, 5.10.1.1, APO01.06, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS01.05, DSS03.01, DSS03.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, 3.1.20, CCI-000366, 4.2.3.4, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, CM-6(a), SC-7(a), DE.AE-1, DE.CM-1, ID.AM-3, PR.AC-5, PR.DS-4, PR.DS-5, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040270, 3.2.2, SV-230543r833355_rule

Description
To set the runtime status of the net.ipv4.conf.default.send_redirects kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.conf.default.send_redirects=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.conf.default.send_redirects = 0
Rationale
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology.
The ability to send ICMP redirects is only appropriate for systems acting as routers.
OVAL test results details

net.ipv4.conf.default.send_redirects static configuration  oval:ssg-test_sysctl_net_ipv4_conf_default_send_redirects_static:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.confnet.ipv4.conf.default.send_redirects=0

net.ipv4.conf.default.send_redirects static configuration in /etc/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_conf_default_send_redirects_static_etc_sysctld:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.d/99-sysctl.confnet.ipv4.conf.default.send_redirects=0

net.ipv4.conf.default.send_redirects static configuration in /run/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_conf_default_send_redirects_static_run_sysctld:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_default_send_redirects:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/sysctl.d^.*\.conf$^[\s]*net.ipv4.conf.default.send_redirects[\s]*=[\s]*(.*)[\s]*$1

Check that only one file contains net_ipv4_conf_default_send_redirects  oval:ssg-test_sysctl_net_ipv4_conf_default_send_redirects_defined_in_one_file:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-local_var_sysctl_net_ipv4_conf_default_send_redirects_counter:var:11

kernel runtime parameter net.ipv4.conf.default.send_redirects set to 0  oval:ssg-test_sysctl_net_ipv4_conf_default_send_redirects_runtime:tst:1  true

Following items have been found on the system:
NameValue
net.ipv4.conf.default.send_redirects0
Disable Kernel Parameter for IP Forwarding on IPv4 Interfacesxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward mediumCCE-81024-2

Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces

Rule IDxccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_net_ipv4_ip_forward:def:1
Time2022-11-07T15:05:19+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-81024-2

References:  BP28(R22), 1, 11, 12, 13, 14, 15, 16, 2, 3, 7, 8, 9, APO13.01, BAI04.04, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.03, DSS03.05, DSS05.02, DSS05.05, DSS05.07, DSS06.06, 3.1.20, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 6.2, SR 7.1, SR 7.2, SR 7.6, A.12.1.2, A.12.1.3, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.17.2.1, A.9.1.2, CIP-007-3 R4, CIP-007-3 R4.1, CIP-007-3 R4.2, CIP-007-3 R5.1, CM-7(a), CM-7(b), SC-5, CM-6(a), SC-7(a), DE.CM-1, PR.DS-4, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, 3.2.1

Description
To set the runtime status of the net.ipv4.ip_forward kernel parameter, run the following command:
$ sudo sysctl -w net.ipv4.ip_forward=0
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.ip_forward = 0
Rationale
Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this capability is used when not required, system network information may be unnecessarily transmitted across the network.
Warnings
warning  Certain technologies such as virtual machines, containers, etc. rely on IPv4 forwarding to enable and use networking. Disabling IPv4 forwarding would cause those technologies to stop working. Therefore, this rule should not be used in profiles or benchmarks that target usage of IPv4 forwarding.
warning  This rule is disabled on Red Hat Virtualization Hosts and Managers, it will report not applicable. RHV host requires IPv4 forwarding for the Hosted Engine bootstrap VM to reach network outside of the initial host.
OVAL test results details

net.ipv4.ip_forward static configuration  oval:ssg-test_sysctl_net_ipv4_ip_forward_static:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.confnet.ipv4.ip_forward=0

net.ipv4.ip_forward static configuration in /etc/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_ip_forward_static_etc_sysctld:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.d/99-sysctl.confnet.ipv4.ip_forward=0

net.ipv4.ip_forward static configuration in /run/sysctl.d/*.conf  oval:ssg-test_sysctl_net_ipv4_ip_forward_static_run_sysctld:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_ip_forward:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/sysctl.d^.*\.conf$^[\s]*net.ipv4.ip_forward[\s]*=[\s]*(.*)[\s]*$1

Check that only one file contains net_ipv4_ip_forward  oval:ssg-test_sysctl_net_ipv4_ip_forward_defined_in_one_file:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-local_var_sysctl_net_ipv4_ip_forward_counter:var:11

kernel runtime parameter net.ipv4.ip_forward set to 0  oval:ssg-test_sysctl_net_ipv4_ip_forward_runtime:tst:1  true

Following items have been found on the system:
NameValue
net.ipv4.ip_forward0
Disable DCCP Supportxccdf_org.ssgproject.content_rule_kernel_module_dccp_disabled mediumCCE-80833-7

Disable DCCP Support

Rule IDxccdf_org.ssgproject.content_rule_kernel_module_dccp_disabled
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-kernel_module_dccp_disabled:def:1
Time2022-11-07T15:05:19+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80833-7

References:  11, 14, 3, 9, 5.10.1, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.4.6, CCI-001958, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SRG-OS-000096-GPOS-00050, SRG-OS-000378-GPOS-00163, 3.1.3

Description
The Datagram Congestion Control Protocol (DCCP) is a relatively new transport layer protocol, designed to support streaming media and telephony. To configure the system to prevent the dccp kernel module from being loaded, add the following line to the file /etc/modprobe.d/dccp.conf:
install dccp /bin/true
To configure the system to prevent the dccp from being used, add the following line to file /etc/modprobe.d/dccp.conf:
blacklist dccp
Rationale
Disabling DCCP protects the system against exploitation of any flaws in its implementation.
OVAL test results details

kernel module dccp blacklisted  oval:ssg-test_kernmod_dccp_blacklisted:tst:1  true

Following items have been found on the system:
PathContent
/etc/modprobe.d/dccp.confblacklist dccp

kernel module dccp disabled  oval:ssg-test_kernmod_dccp_disabled:tst:1  true

Following items have been found on the system:
PathContent
/etc/modprobe.d/dccp.confinstall dccp /bin/true
Disable SCTP Supportxccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled mediumCCE-80834-5

Disable SCTP Support

Rule IDxccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-kernel_module_sctp_disabled:def:1
Time2022-11-07T15:05:19+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80834-5

References:  11, 14, 3, 9, 5.10.1, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.4.6, CCI-000381, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227, RHEL-08-040023, 3.1.2, SV-230496r792917_rule

Description
The Stream Control Transmission Protocol (SCTP) is a transport layer protocol, designed to support the idea of message-oriented communication, with several streams of messages within one connection. To configure the system to prevent the sctp kernel module from being loaded, add the following line to the file /etc/modprobe.d/sctp.conf:
install sctp /bin/true
To configure the system to prevent the sctp from being used, add the following line to file /etc/modprobe.d/sctp.conf:
blacklist sctp
Rationale
Disabling SCTP protects the system against exploitation of any flaws in its implementation.
OVAL test results details

kernel module sctp blacklisted  oval:ssg-test_kernmod_sctp_blacklisted:tst:1  true

Following items have been found on the system:
PathContent
/etc/modprobe.d/sctp.confblacklist sctp

kernel module sctp disabled  oval:ssg-test_kernmod_sctp_disabled:tst:1  true

Following items have been found on the system:
PathContent
/etc/modprobe.d/sctp.confinstall sctp /bin/true
Deactivate Wireless Network Interfacesxccdf_org.ssgproject.content_rule_wireless_disable_interfaces mediumCCE-83501-7

Deactivate Wireless Network Interfaces

Rule IDxccdf_org.ssgproject.content_rule_wireless_disable_interfaces
Result
notapplicable
Multi-check ruleno
Time2022-11-07T15:05:19+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83501-7

References:  11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, 3.1.16, CCI-000085, CCI-002418, CCI-002421, CCI-001443, CCI-001444, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, 1315, 1319, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, AC-18(a), AC-18(3), CM-7(a), CM-7(b), CM-6(a), MP-7, PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000299-GPOS-00117, SRG-OS-000300-GPOS-00118, SRG-OS-000424-GPOS-00188, SRG-OS-000481-GPOS-000481, RHEL-08-040110, 3.1.4, SV-230506r627750_rule

Description
Deactivating wireless network interfaces should prevent normal usage of the wireless capability.

Configure the system to disable all wireless network interfaces with the following command:
$ sudo nmcli radio all off
Rationale
The use of wireless networking can introduce many different attack vectors into the organization's network. Common attack vectors such as malicious association and ad hoc networks will allow an attacker to spoof a wireless access point (AP), allowing validated systems to connect to the malicious AP and enabling the attacker to monitor and record network traffic. These malicious APs can also serve to create a man-in-the-middle attack or be used to create a denial of service to valid network resources.
Verify Group Who Owns Backup group Filexccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_group mediumCCE-83475-4

Verify Group Who Owns Backup group File

Rule IDxccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_group
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_groupowner_backup_etc_group:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83475-4

References:  CCI-002223, AC-6 (1), SRG-OS-000480-GPOS-00227, 6.1.9

Description
To properly set the group owner of /etc/group-, run the command:
$ sudo chgrp root /etc/group-
Rationale
The /etc/group- file is a backup file of /etc/group, and as such, it contains information regarding groups that are configured on the system. Protection of this file is important for system security.
OVAL test results details

Testing group ownership of /etc/group-  oval:ssg-test_file_groupowner_backup_etc_group_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_backup_etc_group_0:obj:1 of type file_object
FilepathFilterFilter
/etc/group-oval:ssg-symlink_file_groupowner_backup_etc_group_uid_0:ste:1oval:ssg-state_file_groupowner_backup_etc_group_gid_0_0:ste:1
Verify Group Who Owns Backup gshadow Filexccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_gshadow mediumCCE-83535-5

Verify Group Who Owns Backup gshadow File

Rule IDxccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_gshadow
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_groupowner_backup_etc_gshadow:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83535-5

References:  CCI-002223, AC-6 (1), SRG-OS-000480-GPOS-00227, 6.1.10

Description
To properly set the group owner of /etc/gshadow-, run the command:
$ sudo chgrp root /etc/gshadow-
Rationale
The /etc/gshadow- file is a backup of /etc/gshadow, and as such, it contains group password hashes. Protection of this file is critical for system security.
OVAL test results details

Testing group ownership of /etc/gshadow-  oval:ssg-test_file_groupowner_backup_etc_gshadow_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_backup_etc_gshadow_0:obj:1 of type file_object
FilepathFilterFilter
/etc/gshadow-oval:ssg-symlink_file_groupowner_backup_etc_gshadow_uid_0:ste:1oval:ssg-state_file_groupowner_backup_etc_gshadow_gid_0_0:ste:1
Verify Group Who Owns Backup passwd Filexccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_passwd mediumCCE-83324-4

Verify Group Who Owns Backup passwd File

Rule IDxccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_passwd
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_groupowner_backup_etc_passwd:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83324-4

References:  CCI-002223, AC-6 (1), SRG-OS-000480-GPOS-00227, 6.1.7

Description
To properly set the group owner of /etc/passwd-, run the command:
$ sudo chgrp root /etc/passwd-
Rationale
The /etc/passwd- file is a backup file of /etc/passwd, and as such, it contains information about the users that are configured on the system. Protection of this file is critical for system security.
OVAL test results details

Testing group ownership of /etc/passwd-  oval:ssg-test_file_groupowner_backup_etc_passwd_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_backup_etc_passwd_0:obj:1 of type file_object
FilepathFilterFilter
/etc/passwd-oval:ssg-symlink_file_groupowner_backup_etc_passwd_uid_0:ste:1oval:ssg-state_file_groupowner_backup_etc_passwd_gid_0_0:ste:1
Verify User Who Owns Backup shadow Filexccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_shadow mediumCCE-83415-0

Verify User Who Owns Backup shadow File

Rule IDxccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_shadow
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_groupowner_backup_etc_shadow:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83415-0

References:  SRG-OS-000480-GPOS-00227, 6.1.8

Description
To properly set the group owner of /etc/shadow-, run the command:
$ sudo chgrp root /etc/shadow-
Rationale
The /etc/shadow- file is a backup file of /etc/shadow, and as such, it contains the list of local system accounts and password hashes. Protection of this file is critical for system security.
OVAL test results details

Testing group ownership of /etc/shadow-  oval:ssg-test_file_groupowner_backup_etc_shadow_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_backup_etc_shadow_0:obj:1 of type file_object
FilepathFilterFilter
/etc/shadow-oval:ssg-symlink_file_groupowner_backup_etc_shadow_uid_0:ste:1oval:ssg-state_file_groupowner_backup_etc_shadow_gid_0_0:ste:1
Verify Group Who Owns group Filexccdf_org.ssgproject.content_rule_file_groupowner_etc_group mediumCCE-80796-6

Verify Group Who Owns group File

Rule IDxccdf_org.ssgproject.content_rule_file_groupowner_etc_group
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_groupowner_etc_group:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80796-6

References:  12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227, 6.1.5

Description
To properly set the group owner of /etc/group, run the command:
$ sudo chgrp root /etc/group
Rationale
The /etc/group file contains information regarding groups that are configured on the system. Protection of this file is important for system security.
OVAL test results details

Testing group ownership of /etc/group  oval:ssg-test_file_groupowner_etc_group_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_etc_group_0:obj:1 of type file_object
FilepathFilterFilter
/etc/groupoval:ssg-symlink_file_groupowner_etc_group_uid_0:ste:1oval:ssg-state_file_groupowner_etc_group_gid_0_0:ste:1
Verify Group Who Owns gshadow Filexccdf_org.ssgproject.content_rule_file_groupowner_etc_gshadow mediumCCE-80797-4

Verify Group Who Owns gshadow File

Rule IDxccdf_org.ssgproject.content_rule_file_groupowner_etc_gshadow
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_groupowner_etc_gshadow:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80797-4

References:  12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 6.1.6

Description
To properly set the group owner of /etc/gshadow, run the command:
$ sudo chgrp root /etc/gshadow
Rationale
The /etc/gshadow file contains group password hashes. Protection of this file is critical for system security.
OVAL test results details

Testing group ownership of /etc/gshadow  oval:ssg-test_file_groupowner_etc_gshadow_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_etc_gshadow_0:obj:1 of type file_object
FilepathFilterFilter
/etc/gshadowoval:ssg-symlink_file_groupowner_etc_gshadow_uid_0:ste:1oval:ssg-state_file_groupowner_etc_gshadow_gid_0_0:ste:1
Verify Group Who Owns passwd Filexccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd mediumCCE-80798-2

Verify Group Who Owns passwd File

Rule IDxccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_groupowner_etc_passwd:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80798-2

References:  12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227, 6.1.3

Description
To properly set the group owner of /etc/passwd, run the command:
$ sudo chgrp root /etc/passwd
Rationale
The /etc/passwd file contains information about the users that are configured on the system. Protection of this file is critical for system security.
OVAL test results details

Testing group ownership of /etc/passwd  oval:ssg-test_file_groupowner_etc_passwd_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_etc_passwd_0:obj:1 of type file_object
FilepathFilterFilter
/etc/passwdoval:ssg-symlink_file_groupowner_etc_passwd_uid_0:ste:1oval:ssg-state_file_groupowner_etc_passwd_gid_0_0:ste:1
Verify Group Who Owns shadow Filexccdf_org.ssgproject.content_rule_file_groupowner_etc_shadow mediumCCE-80799-0

Verify Group Who Owns shadow File

Rule IDxccdf_org.ssgproject.content_rule_file_groupowner_etc_shadow
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_groupowner_etc_shadow:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80799-0

References:  12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227, 6.1.4

Description
To properly set the group owner of /etc/shadow, run the command:
$ sudo chgrp root /etc/shadow
Rationale
The /etc/shadow file stores password hashes. Protection of this file is critical for system security.
OVAL test results details

Testing group ownership of /etc/shadow  oval:ssg-test_file_groupowner_etc_shadow_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_etc_shadow_0:obj:1 of type file_object
FilepathFilterFilter
/etc/shadowoval:ssg-symlink_file_groupowner_etc_shadow_uid_0:ste:1oval:ssg-state_file_groupowner_etc_shadow_gid_0_0:ste:1
Verify User Who Owns Backup group Filexccdf_org.ssgproject.content_rule_file_owner_backup_etc_group mediumCCE-83473-9

Verify User Who Owns Backup group File

Rule IDxccdf_org.ssgproject.content_rule_file_owner_backup_etc_group
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_owner_backup_etc_group:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83473-9

References:  CCI-002223, AC-6 (1), SRG-OS-000480-GPOS-00227, 6.1.9

Description
To properly set the owner of /etc/group-, run the command:
$ sudo chown root /etc/group- 
Rationale
The /etc/group- file is a backup file of /etc/group, and as such, it contains information regarding groups that are configured on the system. Protection of this file is important for system security.
OVAL test results details

Testing user ownership of /etc/group-  oval:ssg-test_file_owner_backup_etc_group_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_backup_etc_group_0:obj:1 of type file_object
FilepathFilterFilter
/etc/group-oval:ssg-symlink_file_owner_backup_etc_group_uid_0:ste:1oval:ssg-state_file_owner_backup_etc_group_uid_0_0:ste:1
Verify User Who Owns Backup gshadow Filexccdf_org.ssgproject.content_rule_file_owner_backup_etc_gshadow mediumCCE-83533-0

Verify User Who Owns Backup gshadow File

Rule IDxccdf_org.ssgproject.content_rule_file_owner_backup_etc_gshadow
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_owner_backup_etc_gshadow:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83533-0

References:  CCI-002223, AC-6 (1), SRG-OS-000480-GPOS-00227, 6.1.10

Description
To properly set the owner of /etc/gshadow-, run the command:
$ sudo chown root /etc/gshadow- 
Rationale
The /etc/gshadow- file is a backup of /etc/gshadow, and as such, it contains group password hashes. Protection of this file is critical for system security.
OVAL test results details

Testing user ownership of /etc/gshadow-  oval:ssg-test_file_owner_backup_etc_gshadow_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_backup_etc_gshadow_0:obj:1 of type file_object
FilepathFilterFilter
/etc/gshadow-oval:ssg-symlink_file_owner_backup_etc_gshadow_uid_0:ste:1oval:ssg-state_file_owner_backup_etc_gshadow_uid_0_0:ste:1
Verify User Who Owns Backup passwd Filexccdf_org.ssgproject.content_rule_file_owner_backup_etc_passwd mediumCCE-83326-9

Verify User Who Owns Backup passwd File

Rule IDxccdf_org.ssgproject.content_rule_file_owner_backup_etc_passwd
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_owner_backup_etc_passwd:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83326-9

References:  CCI-002223, AC-6 (1), SRG-OS-000480-GPOS-00227, 6.1.7

Description
To properly set the owner of /etc/passwd-, run the command:
$ sudo chown root /etc/passwd- 
Rationale
The /etc/passwd- file is a backup file of /etc/passwd, and as such, it contains information about the users that are configured on the system. Protection of this file is critical for system security.
OVAL test results details

Testing user ownership of /etc/passwd-  oval:ssg-test_file_owner_backup_etc_passwd_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_backup_etc_passwd_0:obj:1 of type file_object
FilepathFilterFilter
/etc/passwd-oval:ssg-symlink_file_owner_backup_etc_passwd_uid_0:ste:1oval:ssg-state_file_owner_backup_etc_passwd_uid_0_0:ste:1
Verify Group Who Owns Backup shadow Filexccdf_org.ssgproject.content_rule_file_owner_backup_etc_shadow mediumCCE-83413-5

Verify Group Who Owns Backup shadow File

Rule IDxccdf_org.ssgproject.content_rule_file_owner_backup_etc_shadow
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_owner_backup_etc_shadow:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83413-5

References:  CCI-002223, AC-6 (1), SRG-OS-000480-GPOS-00227, 6.1.8

Description
To properly set the owner of /etc/shadow-, run the command:
$ sudo chown root /etc/shadow- 
Rationale
The /etc/shadow- file is a backup file of /etc/shadow, and as such, it contains the list of local system accounts and password hashes. Protection of this file is critical for system security.
OVAL test results details

Testing user ownership of /etc/shadow-  oval:ssg-test_file_owner_backup_etc_shadow_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_backup_etc_shadow_0:obj:1 of type file_object
FilepathFilterFilter
/etc/shadow-oval:ssg-symlink_file_owner_backup_etc_shadow_uid_0:ste:1oval:ssg-state_file_owner_backup_etc_shadow_uid_0_0:ste:1
Verify User Who Owns group Filexccdf_org.ssgproject.content_rule_file_owner_etc_group mediumCCE-80801-4

Verify User Who Owns group File

Rule IDxccdf_org.ssgproject.content_rule_file_owner_etc_group
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_owner_etc_group:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80801-4

References:  12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227, 6.1.5

Description
To properly set the owner of /etc/group, run the command:
$ sudo chown root /etc/group 
Rationale
The /etc/group file contains information regarding groups that are configured on the system. Protection of this file is important for system security.
OVAL test results details

Testing user ownership of /etc/group  oval:ssg-test_file_owner_etc_group_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_etc_group_0:obj:1 of type file_object
FilepathFilterFilter
/etc/groupoval:ssg-symlink_file_owner_etc_group_uid_0:ste:1oval:ssg-state_file_owner_etc_group_uid_0_0:ste:1
Verify User Who Owns gshadow Filexccdf_org.ssgproject.content_rule_file_owner_etc_gshadow mediumCCE-80802-2

Verify User Who Owns gshadow File

Rule IDxccdf_org.ssgproject.content_rule_file_owner_etc_gshadow
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_owner_etc_gshadow:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80802-2

References:  BP28(R36), 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 6.1.6

Description
To properly set the owner of /etc/gshadow, run the command:
$ sudo chown root /etc/gshadow 
Rationale
The /etc/gshadow file contains group password hashes. Protection of this file is critical for system security.
OVAL test results details

Testing user ownership of /etc/gshadow  oval:ssg-test_file_owner_etc_gshadow_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_etc_gshadow_0:obj:1 of type file_object
FilepathFilterFilter
/etc/gshadowoval:ssg-symlink_file_owner_etc_gshadow_uid_0:ste:1oval:ssg-state_file_owner_etc_gshadow_uid_0_0:ste:1
Verify User Who Owns passwd Filexccdf_org.ssgproject.content_rule_file_owner_etc_passwd mediumCCE-80803-0

Verify User Who Owns passwd File

Rule IDxccdf_org.ssgproject.content_rule_file_owner_etc_passwd
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_owner_etc_passwd:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80803-0

References:  12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227, 6.1.3

Description
To properly set the owner of /etc/passwd, run the command:
$ sudo chown root /etc/passwd 
Rationale
The /etc/passwd file contains information about the users that are configured on the system. Protection of this file is critical for system security.
OVAL test results details

Testing user ownership of /etc/passwd  oval:ssg-test_file_owner_etc_passwd_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_etc_passwd_0:obj:1 of type file_object
FilepathFilterFilter
/etc/passwdoval:ssg-symlink_file_owner_etc_passwd_uid_0:ste:1oval:ssg-state_file_owner_etc_passwd_uid_0_0:ste:1
Verify User Who Owns shadow Filexccdf_org.ssgproject.content_rule_file_owner_etc_shadow mediumCCE-80804-8

Verify User Who Owns shadow File

Rule IDxccdf_org.ssgproject.content_rule_file_owner_etc_shadow
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_owner_etc_shadow:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80804-8

References:  BP28(R36), 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227, 6.1.4

Description
To properly set the owner of /etc/shadow, run the command:
$ sudo chown root /etc/shadow 
Rationale
The /etc/shadow file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture.
OVAL test results details

Testing user ownership of /etc/shadow  oval:ssg-test_file_owner_etc_shadow_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_etc_shadow_0:obj:1 of type file_object
FilepathFilterFilter
/etc/shadowoval:ssg-symlink_file_owner_etc_shadow_uid_0:ste:1oval:ssg-state_file_owner_etc_shadow_uid_0_0:ste:1
Verify Permissions on Backup group Filexccdf_org.ssgproject.content_rule_file_permissions_backup_etc_group mediumCCE-83483-8

Verify Permissions on Backup group File

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_backup_etc_group
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_permissions_backup_etc_group:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83483-8

References:  CCI-002223, AC-6 (1), SRG-OS-000480-GPOS-00227, 6.1.9

Description
To properly set the permissions of /etc/group-, run the command:
$ sudo chmod 0644 /etc/group-
Rationale
The /etc/group- file is a backup file of /etc/group, and as such, it contains information regarding groups that are configured on the system. Protection of this file is important for system security.
OVAL test results details

Testing mode of /etc/group-  oval:ssg-test_file_permissions_backup_etc_group_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_backup_etc_group_0:obj:1 of type file_object
FilepathFilterFilter
/etc/group-oval:ssg-exclude_symlinks__backup_etc_group:ste:1oval:ssg-state_file_permissions_backup_etc_group_0_mode_0644or_stricter_:ste:1
Verify Permissions on Backup gshadow Filexccdf_org.ssgproject.content_rule_file_permissions_backup_etc_gshadow mediumCCE-83573-6

Verify Permissions on Backup gshadow File

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_backup_etc_gshadow
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_permissions_backup_etc_gshadow:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83573-6

References:  CCI-002223, AC-6 (1), SRG-OS-000480-GPOS-00227, 6.1.10

Description
To properly set the permissions of /etc/gshadow-, run the command:
$ sudo chmod 0000 /etc/gshadow-
Rationale
The /etc/gshadow- file is a backup of /etc/gshadow, and as such, it contains group password hashes. Protection of this file is critical for system security.
OVAL test results details

Testing mode of /etc/gshadow-  oval:ssg-test_file_permissions_backup_etc_gshadow_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_backup_etc_gshadow_0:obj:1 of type file_object
FilepathFilterFilter
/etc/gshadow-oval:ssg-exclude_symlinks__backup_etc_gshadow:ste:1oval:ssg-state_file_permissions_backup_etc_gshadow_0_mode_0000or_stricter_:ste:1
Verify Permissions on Backup passwd Filexccdf_org.ssgproject.content_rule_file_permissions_backup_etc_passwd mediumCCE-83332-7

Verify Permissions on Backup passwd File

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_backup_etc_passwd
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_permissions_backup_etc_passwd:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83332-7

References:  CCI-002223, AC-6 (1), SRG-OS-000480-GPOS-00227, 6.1.7

Description
To properly set the permissions of /etc/passwd-, run the command:
$ sudo chmod 0644 /etc/passwd-
Rationale
The /etc/passwd- file is a backup file of /etc/passwd, and as such, it contains information about the users that are configured on the system. Protection of this file is critical for system security.
OVAL test results details

Testing mode of /etc/passwd-  oval:ssg-test_file_permissions_backup_etc_passwd_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_backup_etc_passwd_0:obj:1 of type file_object
FilepathFilterFilter
/etc/passwd-oval:ssg-exclude_symlinks__backup_etc_passwd:ste:1oval:ssg-state_file_permissions_backup_etc_passwd_0_mode_0644or_stricter_:ste:1
Verify Permissions on Backup shadow Filexccdf_org.ssgproject.content_rule_file_permissions_backup_etc_shadow mediumCCE-83417-6

Verify Permissions on Backup shadow File

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_backup_etc_shadow
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_permissions_backup_etc_shadow:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83417-6

References:  CCI-002223, AC-6 (1), SRG-OS-000480-GPOS-00227, 6.1.8

Description
To properly set the permissions of /etc/shadow-, run the command:
$ sudo chmod 0000 /etc/shadow-
Rationale
The /etc/shadow- file is a backup file of /etc/shadow, and as such, it contains the list of local system accounts and password hashes. Protection of this file is critical for system security.
OVAL test results details

Testing mode of /etc/shadow-  oval:ssg-test_file_permissions_backup_etc_shadow_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_backup_etc_shadow_0:obj:1 of type file_object
FilepathFilterFilter
/etc/shadow-oval:ssg-exclude_symlinks__backup_etc_shadow:ste:1oval:ssg-state_file_permissions_backup_etc_shadow_0_mode_0000or_stricter_:ste:1
Verify Permissions on group Filexccdf_org.ssgproject.content_rule_file_permissions_etc_group mediumCCE-80810-5

Verify Permissions on group File

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_etc_group
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_permissions_etc_group:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80810-5

References:  BP28(R36), 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227, 6.1.5

Description
To properly set the permissions of /etc/passwd, run the command:
$ sudo chmod 0644 /etc/passwd
Rationale
The /etc/group file contains information regarding groups that are configured on the system. Protection of this file is important for system security.
OVAL test results details

Testing mode of /etc/group  oval:ssg-test_file_permissions_etc_group_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_etc_group_0:obj:1 of type file_object
FilepathFilterFilter
/etc/groupoval:ssg-exclude_symlinks__etc_group:ste:1oval:ssg-state_file_permissions_etc_group_0_mode_0644or_stricter_:ste:1
Verify Permissions on gshadow Filexccdf_org.ssgproject.content_rule_file_permissions_etc_gshadow mediumCCE-80811-3

Verify Permissions on gshadow File

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_etc_gshadow
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_permissions_etc_gshadow:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80811-3

References:  BP28(R36), 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 6.1.6

Description
To properly set the permissions of /etc/gshadow, run the command:
$ sudo chmod 0000 /etc/gshadow
Rationale
The /etc/gshadow file contains group password hashes. Protection of this file is critical for system security.
OVAL test results details

Testing mode of /etc/gshadow  oval:ssg-test_file_permissions_etc_gshadow_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_etc_gshadow_0:obj:1 of type file_object
FilepathFilterFilter
/etc/gshadowoval:ssg-exclude_symlinks__etc_gshadow:ste:1oval:ssg-state_file_permissions_etc_gshadow_0_mode_0000or_stricter_:ste:1
Verify Permissions on passwd Filexccdf_org.ssgproject.content_rule_file_permissions_etc_passwd mediumCCE-80812-1

Verify Permissions on passwd File

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_etc_passwd
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_permissions_etc_passwd:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80812-1

References:  BP28(R36), 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227, 6.1.3

Description
To properly set the permissions of /etc/passwd, run the command:
$ sudo chmod 0644 /etc/passwd
Rationale
If the /etc/passwd file is writable by a group-owner or the world the risk of its compromise is increased. The file contains the list of accounts on the system and associated information, and protection of this file is critical for system security.
OVAL test results details

Testing mode of /etc/passwd  oval:ssg-test_file_permissions_etc_passwd_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_etc_passwd_0:obj:1 of type file_object
FilepathFilterFilter
/etc/passwdoval:ssg-exclude_symlinks__etc_passwd:ste:1oval:ssg-state_file_permissions_etc_passwd_0_mode_0644or_stricter_:ste:1
Verify Permissions on shadow Filexccdf_org.ssgproject.content_rule_file_permissions_etc_shadow mediumCCE-80813-9

Verify Permissions on shadow File

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_etc_shadow
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_permissions_etc_shadow:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80813-9

References:  BP28(R36), 12, 13, 14, 15, 16, 18, 3, 5, 5.5.2.2, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-002223, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, Req-8.7.c, SRG-OS-000480-GPOS-00227, 6.1.4

Description
To properly set the permissions of /etc/shadow, run the command:
$ sudo chmod 0000 /etc/shadow
Rationale
The /etc/shadow file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture.
OVAL test results details

Testing mode of /etc/shadow  oval:ssg-test_file_permissions_etc_shadow_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_etc_shadow_0:obj:1 of type file_object
FilepathFilterFilter
/etc/shadowoval:ssg-exclude_symlinks__etc_shadow:ste:1oval:ssg-state_file_permissions_etc_shadow_0_mode_0000or_stricter_:ste:1
Verify that All World-Writable Directories Have Sticky Bits Setxccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits mediumCCE-80783-4

Verify that All World-Writable Directories Have Sticky Bits Set

Rule IDxccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-dir_perms_world_writable_sticky_bits:def:1
Time2022-11-07T15:05:20+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80783-4

References:  BP28(R40), 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-001090, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000138-GPOS-00069, RHEL-08-010190, 6.1.2, SV-230243r792857_rule

Description
When the so-called 'sticky bit' is set on a directory, only the owner of a given file may remove that file from the directory. Without the sticky bit, any user with write access to a directory may remove any file in the directory. Setting the sticky bit prevents users from removing each other's files. In cases where there is no reason for a directory to be world-writable, a better solution is to remove that permission rather than to set the sticky bit. However, if a directory is used by a particular application, consult that application's documentation instead of blindly changing modes.
To set the sticky bit on a world-writable directory DIR, run the following command:
$ sudo chmod +t DIR
Rationale
Failing to set the sticky bit on public directories allows unauthorized users to delete files in the directory structure.

The only authorized public directories are those temporary directories supplied with the system, or those designed to be temporary file repositories. The setting is normally reserved for directories used by the system, by users for temporary file storage (such as /tmp), and for directories requiring global read/write access.
OVAL test results details

all local world-writable directories have sticky bit set  oval:ssg-test_dir_perms_world_writable_sticky_bits:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_only_local_directories:obj:1 of type file_object
BehaviorsPathFilenameFilter
no value/no valueoval:ssg-state_world_writable_and_not_sticky:ste:1
Ensure No World-Writable Files Existxccdf_org.ssgproject.content_rule_file_permissions_unauthorized_world_writable mediumCCE-80818-8

Ensure No World-Writable Files Exist

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_unauthorized_world_writable
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_permissions_unauthorized_world_writable:def:1
Time2022-11-07T15:05:31+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80818-8

References:  BP28(R40), 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, 6.1.11

Description
It is generally a good idea to remove global (other) write access to a file when it is discovered. However, check with documentation for specific applications before making changes. Also, monitor for recurring world-writable files, as these may be symptoms of a misconfigured application or user account. Finally, this applies to real files and not virtual files that are a part of pseudo file systems such as sysfs or procfs.
Rationale
Data in world-writable files can be modified by any user on the system. In almost all circumstances, files can be configured using a combination of user and group permissions to support whatever legitimate access is needed without the risk caused by world-writable files.
OVAL test results details

world writable files  oval:ssg-test_file_permissions_unauthorized_world_write:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_unauthorized_world_write:obj:1 of type file_object
BehaviorsPathFilenameFilterFilterFilterFilter
no value/^.*$oval:ssg-state_file_permissions_unauthorized_world_write:ste:1oval:ssg-state_file_permissions_unauthorized_world_write_exclude_special_selinux_files:ste:1oval:ssg-state_file_permissions_unauthorized_world_write_exclude_proc:ste:1oval:ssg-state_file_permissions_unauthorized_world_write_exclude_sys:ste:1
Ensure All Files Are Owned by a Groupxccdf_org.ssgproject.content_rule_file_permissions_ungroupowned mediumCCE-83497-8

Ensure All Files Are Owned by a Group

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_ungroupowned
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_permissions_ungroupowned:def:1
Time2022-11-07T15:05:42+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83497-8

References:  1, 11, 12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.02, DSS06.03, DSS06.06, DSS06.10, CCI-000366, CCI-002165, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.18.1.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-5, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-010790, 6.1.13, SV-230327r627750_rule

Description
If any files are not owned by a group, then the cause of their lack of group-ownership should be investigated. Following this, the files should be deleted or assigned to an appropriate group. The following command will discover and print any files on local partitions which do not belong to a valid group:
$ df --local -P | awk '{if (NR!=1) print $6}' | sudo xargs -I '{}' find '{}' -xdev -nogroup
To search all filesystems on a system including network mounted filesystems the following command can be run manually for each partition:
$ sudo find PARTITION -xdev -nogroup
Rationale
Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account. The files should be repaired so they will not cause problems when accounts are created in the future, and the cause should be discovered and addressed.
Warnings
warning  This rule only considers local groups. If you have your groups defined outside /etc/group, the rule won't consider those.
OVAL test results details

files with no group owner  oval:ssg-test_file_permissions_ungroupowned:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_ungroupowned:obj:1 of type file_object
BehaviorsPathFilenameFilter
no value/.*oval:ssg-state_file_permissions_ungroupowned:ste:1
Ensure All Files Are Owned by a Userxccdf_org.ssgproject.content_rule_no_files_unowned_by_user mediumCCE-83499-4

Ensure All Files Are Owned by a User

Rule IDxccdf_org.ssgproject.content_rule_no_files_unowned_by_user
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-no_files_unowned_by_user:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83499-4

References:  11, 12, 13, 14, 15, 16, 18, 3, 5, 9, APO01.06, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, CCI-000366, CCI-002165, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.AC-6, PR.DS-5, PR.IP-1, PR.PT-3, SRG-OS-000480-GPOS-00227, RHEL-08-010780, 6.1.12, SV-230326r627750_rule

Description
If any files are not owned by a user, then the cause of their lack of ownership should be investigated. Following this, the files should be deleted or assigned to an appropriate user. The following command will discover and print any files on local partitions which do not belong to a valid user:
$ df --local -P | awk {'if (NR!=1) print $6'} | sudo xargs -I '{}' find '{}' -xdev -nouser
To search all filesystems on a system including network mounted filesystems the following command can be run manually for each partition:
$ sudo find PARTITION -xdev -nouser
Rationale
Unowned files do not directly imply a security problem, but they are generally a sign that something is amiss. They may be caused by an intruder, by incorrect software installation or draft software removal, or by failure to remove all files belonging to a deleted account. The files should be repaired so they will not cause problems when accounts are created in the future, and the cause should be discovered and addressed.
Warnings
warning  For this rule to evaluate centralized user accounts, getent must be working properly so that running the command
getent passwd
returns a list of all users in your organization. If using the System Security Services Daemon (SSSD),
enumerate = true
must be configured in your organization's domain to return a complete list of users
warning  Enabling this rule will result in slower scan times depending on the size of your organization and number of centralized users.
OVAL test results details

Check user ids on all files on the system  oval:ssg-no_files_unowned_by_user_test:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-file_permissions_unowned_object:obj:1 of type file_object
BehaviorsPathFilenameFilter
no value/.*oval:ssg-file_permissions_unowned_userid_list_match:ste:1
Disable the Automounterxccdf_org.ssgproject.content_rule_service_autofs_disabled mediumCCE-80873-3

Disable the Automounter

Rule IDxccdf_org.ssgproject.content_rule_service_autofs_disabled
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-service_autofs_disabled:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80873-3

References:  1, 12, 15, 16, 5, APO13.01, DSS01.04, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.4.6, CCI-000366, CCI-000778, CCI-001958, 164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.310(d)(1), 164.310(d)(2), 164.312(a)(1), 164.312(a)(2)(iv), 164.312(b), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.6, A.11.2.6, A.13.1.1, A.13.2.1, A.18.1.4, A.6.2.1, A.6.2.2, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, CM-7(a), CM-7(b), CM-6(a), MP-7, PR.AC-1, PR.AC-3, PR.AC-6, PR.AC-7, SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227, RHEL-08-040070, 1.1.9, SV-230502r627750_rule

Description
The autofs daemon mounts and unmounts filesystems, such as user home directories shared via NFS, on demand. In addition, autofs can be used to handle removable media, and the default configuration provides the cdrom device as /misc/cd. However, this method of providing access to removable media is not common, so autofs can almost always be disabled if NFS is not in use. Even if NFS is required, it may be possible to configure filesystem mounts statically by editing /etc/fstab rather than relying on the automounter.

The autofs service can be disabled with the following command:
$ sudo systemctl mask --now autofs.service
Rationale
Disabling the automounter permits the administrator to statically control filesystem mounting through /etc/fstab.

Additionally, automatically mounting filesystems permits easy introduction of unknown devices, thereby facilitating malicious activity.
OVAL test results details

package autofs is removed  oval:ssg-test_service_autofs_package_autofs_removed:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_service_autofs_package_autofs_removed:obj:1 of type rpminfo_object
Name
autofs

Test that the autofs service is not running  oval:ssg-test_service_not_running_autofs:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_service_not_running_autofs:obj:1 of type systemdunitproperty_object
UnitProperty
^autofs\.(service|socket)$ActiveState

Test that the property LoadState from the service autofs is masked  oval:ssg-test_service_loadstate_is_masked_autofs:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_service_loadstate_is_masked_autofs:obj:1 of type systemdunitproperty_object
UnitProperty
^autofs\.(service|socket)$LoadState
Disable Mounting of cramfsxccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled lowCCE-81031-7

Disable Mounting of cramfs

Rule IDxccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-kernel_module_cramfs_disabled:def:1
Time2022-11-07T15:05:53+00:00
Severitylow
Identifiers and References

Identifiers:  CCE-81031-7

References:  11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.4.6, CCI-000381, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, SRG-OS-000095-GPOS-00049, RHEL-08-040025, 1.1.1.1, SV-230498r792922_rule

Description
To configure the system to prevent the cramfs kernel module from being loaded, add the following line to the file /etc/modprobe.d/cramfs.conf:
install cramfs /bin/true
To configure the system to prevent the cramfs from being used, add the following line to file /etc/modprobe.d/cramfs.conf:
blacklist cramfs
This effectively prevents usage of this uncommon filesystem. The cramfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A cramfs image can be used without having to first decompress the image.
Rationale
Removing support for unneeded filesystem types reduces the local attack surface of the server.
OVAL test results details

kernel module cramfs blacklisted  oval:ssg-test_kernmod_cramfs_blacklisted:tst:1  true

Following items have been found on the system:
PathContent
/etc/modprobe.d/cramfs.confblacklist cramfs

kernel module cramfs disabled  oval:ssg-test_kernmod_cramfs_disabled:tst:1  true

Following items have been found on the system:
PathContent
/etc/modprobe.d/cramfs.confinstall cramfs /bin/true
Disable Mounting of squashfsxccdf_org.ssgproject.content_rule_kernel_module_squashfs_disabled lowCCE-83498-6

Disable Mounting of squashfs

Rule IDxccdf_org.ssgproject.content_rule_kernel_module_squashfs_disabled
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-kernel_module_squashfs_disabled:def:1
Time2022-11-07T15:05:53+00:00
Severitylow
Identifiers and References

Identifiers:  CCE-83498-6

References:  11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.4.6, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, 1.1.1.2

Description
To configure the system to prevent the squashfs kernel module from being loaded, add the following line to the file /etc/modprobe.d/squashfs.conf:
install squashfs /bin/true
To configure the system to prevent the squashfs from being used, add the following line to file /etc/modprobe.d/squashfs.conf:
blacklist squashfs
This effectively prevents usage of this uncommon filesystem. The squashfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems (similar to cramfs). A squashfs image can be used without having to first decompress the image.
Rationale
Removing support for unneeded filesystem types reduces the local attack surface of the system.
OVAL test results details

kernel module squashfs blacklisted  oval:ssg-test_kernmod_squashfs_blacklisted:tst:1  true

Following items have been found on the system:
PathContent
/etc/modprobe.d/squashfs.confblacklist squashfs

kernel module squashfs disabled  oval:ssg-test_kernmod_squashfs_disabled:tst:1  true

Following items have been found on the system:
PathContent
/etc/modprobe.d/squashfs.confinstall squashfs /bin/true
Disable Mounting of udfxccdf_org.ssgproject.content_rule_kernel_module_udf_disabled lowCCE-82729-5

Disable Mounting of udf

Rule IDxccdf_org.ssgproject.content_rule_kernel_module_udf_disabled
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-kernel_module_udf_disabled:def:1
Time2022-11-07T15:05:53+00:00
Severitylow
Identifiers and References

Identifiers:  CCE-82729-5

References:  11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 3.4.6, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, 1.1.1.3

Description
To configure the system to prevent the udf kernel module from being loaded, add the following line to the file /etc/modprobe.d/udf.conf:
install udf /bin/true
To configure the system to prevent the udf from being used, add the following line to file /etc/modprobe.d/udf.conf:
blacklist udf
This effectively prevents usage of this uncommon filesystem. The udf filesystem type is the universal disk format used to implement the ISO/IEC 13346 and ECMA-167 specifications. This is an open vendor filesystem type for data storage on a broad range of media. This filesystem type is neccessary to support writing DVDs and newer optical disc formats.
Rationale
Removing support for unneeded filesystem types reduces the local attack surface of the system.
OVAL test results details

kernel module udf blacklisted  oval:ssg-test_kernmod_udf_blacklisted:tst:1  true

Following items have been found on the system:
PathContent
/etc/modprobe.d/udf.confblacklist udf

kernel module udf disabled  oval:ssg-test_kernmod_udf_disabled:tst:1  true

Following items have been found on the system:
PathContent
/etc/modprobe.d/udf.confinstall udf /bin/true
Disable Modprobe Loading of USB Storage Driverxccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled mediumCCE-80835-2

Disable Modprobe Loading of USB Storage Driver

Rule IDxccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-kernel_module_usb-storage_disabled:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80835-2

References:  1, 12, 15, 16, 5, APO13.01, DSS01.04, DSS05.03, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.1.21, CCI-000366, CCI-000778, CCI-001958, 164.308(a)(3)(i), 164.308(a)(3)(ii)(A), 164.310(d)(1), 164.310(d)(2), 164.312(a)(1), 164.312(a)(2)(iv), 164.312(b), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.6, A.11.2.6, A.13.1.1, A.13.2.1, A.18.1.4, A.6.2.1, A.6.2.2, A.7.1.1, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.2, A.9.4.3, CM-7(a), CM-7(b), CM-6(a), MP-7, PR.AC-1, PR.AC-3, PR.AC-6, PR.AC-7, SRG-OS-000114-GPOS-00059, SRG-OS-000378-GPOS-00163, SRG-OS-000480-GPOS-00227, RHEL-08-040080, 1.1.10, SV-230503r809319_rule

Description
To prevent USB storage devices from being used, configure the kernel module loading system to prevent automatic loading of the USB storage driver. To configure the system to prevent the usb-storage kernel module from being loaded, add the following line to the file /etc/modprobe.d/usb-storage.conf:
install usb-storage /bin/true
To configure the system to prevent the usb-storage from being used, add the following line to file /etc/modprobe.d/usb-storage.conf:
blacklist usb-storage
This will prevent the modprobe program from loading the usb-storage module, but will not prevent an administrator (or another program) from using the insmod program to load the module manually.
Rationale
USB storage devices such as thumb drives can be used to introduce malicious software.
OVAL test results details

kernel module usb-storage blacklisted  oval:ssg-test_kernmod_usb-storage_blacklisted:tst:1  true

Following items have been found on the system:
PathContent
/etc/modprobe.d/usb-storage.confblacklist usb-storage

kernel module usb-storage disabled  oval:ssg-test_kernmod_usb-storage_disabled:tst:1  true

Following items have been found on the system:
PathContent
/etc/modprobe.d/usb-storage.confinstall usb-storage /bin/true
Add nodev Option to /dev/shmxccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev mediumCCE-80837-8

Add nodev Option to /dev/shm

Rule IDxccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-mount_option_dev_shm_nodev:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80837-8

References:  11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-001764, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040120, 1.1.8.1, SV-230508r627750_rule

Description
The nodev mount option can be used to prevent creation of device files in /dev/shm. Legitimate character and block devices should not exist within temporary directories like /dev/shm. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /dev/shm.
Rationale
The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails.
OVAL test results details

nodev on /dev/shm optional no  oval:ssg-test_dev_shm_partition_nodev_optional_no:tst:1  true

Following items have been found on the system:
Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/dev/shmtmpfstmpfsrwseclabelnosuidnodevnoexec4782090478209

/dev/shm exists  oval:ssg-test_dev_shm_no_partition_nodev_optional_no:tst:1  true

Following items have been found on the system:
Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/dev/shmtmpfstmpfsrwseclabelnosuidnodevnoexec4782090478209
Add noexec Option to /dev/shmxccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec mediumCCE-80838-6

Add noexec Option to /dev/shm

Rule IDxccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-mount_option_dev_shm_noexec:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80838-6

References:  11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-001764, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040122, 1.1.8.2, SV-230510r627750_rule

Description
The noexec mount option can be used to prevent binaries from being executed out of /dev/shm. It can be dangerous to allow the execution of binaries from world-writable temporary storage directories such as /dev/shm. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /dev/shm.
Rationale
Allowing users to execute binaries from world-writable directories such as /dev/shm can expose the system to potential compromise.
OVAL test results details

noexec on /dev/shm optional no  oval:ssg-test_dev_shm_partition_noexec_optional_no:tst:1  true

Following items have been found on the system:
Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/dev/shmtmpfstmpfsrwseclabelnosuidnodevnoexec4782090478209

/dev/shm exists  oval:ssg-test_dev_shm_no_partition_noexec_optional_no:tst:1  true

Following items have been found on the system:
Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/dev/shmtmpfstmpfsrwseclabelnosuidnodevnoexec4782090478209
Add nosuid Option to /dev/shmxccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid mediumCCE-80839-4

Add nosuid Option to /dev/shm

Rule IDxccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-mount_option_dev_shm_nosuid:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80839-4

References:  11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-001764, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040121, 1.1.8.3, SV-230509r627750_rule

Description
The nosuid mount option can be used to prevent execution of setuid programs in /dev/shm. The SUID and SGID permissions should not be required in these world-writable directories. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /dev/shm.
Rationale
The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from temporary storage partitions.
OVAL test results details

nosuid on /dev/shm optional no  oval:ssg-test_dev_shm_partition_nosuid_optional_no:tst:1  true

Following items have been found on the system:
Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/dev/shmtmpfstmpfsrwseclabelnosuidnodevnoexec4782090478209

/dev/shm exists  oval:ssg-test_dev_shm_no_partition_nosuid_optional_no:tst:1  true

Following items have been found on the system:
Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/dev/shmtmpfstmpfsrwseclabelnosuidnodevnoexec4782090478209
Add nodev Option to /homexccdf_org.ssgproject.content_rule_mount_option_home_nodev unknownCCE-81048-1

Add nodev Option to /home

Rule IDxccdf_org.ssgproject.content_rule_mount_option_home_nodev
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-mount_option_home_nodev:def:1
Time2022-11-07T15:05:53+00:00
Severityunknown
Identifiers and References

Identifiers:  CCE-81048-1

References:  BP28(R12), SRG-OS-000368-GPOS-00154, 1.1.7.2

Description
The nodev mount option can be used to prevent device files from being created in /home. Legitimate character and block devices should exist only in the /dev directory on the root partition or within chroot jails built for system services. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /home.
Rationale
The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails.
OVAL test results details

nodev on /home optional yes  oval:ssg-test_home_partition_nodev_optional_yes:tst:1  true

Following items have been found on the system:
Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/home/dev/mapper/rootvg-homelv841c3ec8-e576-405d-80ff-4ae2bf8883adxfsrwseclabelnosuidnodevrelatimeattr2inode64logbufs=8logbsize=32knoquotabind25958446637212947
Add nosuid Option to /homexccdf_org.ssgproject.content_rule_mount_option_home_nosuid mediumCCE-81050-7

Add nosuid Option to /home

Rule IDxccdf_org.ssgproject.content_rule_mount_option_home_nosuid
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-mount_option_home_nosuid:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-81050-7

References:  BP28(R12), 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-000366, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, SRG-OS-000480-GPOS-00227, RHEL-08-010570, 1.1.7.3, SV-230299r627750_rule

Description
The nosuid mount option can be used to prevent execution of setuid programs in /home. The SUID and SGID permissions should not be required in these user data directories. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /home.
Rationale
The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from user home directory partitions.
OVAL test results details

nosuid on /home optional yes  oval:ssg-test_home_partition_nosuid_optional_yes:tst:1  true

Following items have been found on the system:
Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/home/dev/mapper/rootvg-homelv841c3ec8-e576-405d-80ff-4ae2bf8883adxfsrwseclabelnosuidnodevrelatimeattr2inode64logbufs=8logbsize=32knoquotabind25958446637212947
Add nodev Option to /tmpxccdf_org.ssgproject.content_rule_mount_option_tmp_nodev mediumCCE-82623-0

Add nodev Option to /tmp

Rule IDxccdf_org.ssgproject.content_rule_mount_option_tmp_nodev
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-mount_option_tmp_nodev:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82623-0

References:  BP28(R12), 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-001764, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040123, 1.1.2.2, SV-230511r627750_rule

Description
The nodev mount option can be used to prevent device files from being created in /tmp. Legitimate character and block devices should not exist within temporary directories like /tmp. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /tmp.
Rationale
The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails.
OVAL test results details

nodev on /tmp optional yes  oval:ssg-test_tmp_partition_nodev_optional_yes:tst:1  true

Following items have been found on the system:
Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/tmp/dev/mapper/rootvg-tmplv10a53d6f-3d9b-403a-a691-083632225621xfsrwseclabelnosuidnodevnoexecrelatimeattr2inode64logbufs=8logbsize=32knoquotabind52172824692497036
Add noexec Option to /tmpxccdf_org.ssgproject.content_rule_mount_option_tmp_noexec mediumCCE-82139-7

Add noexec Option to /tmp

Rule IDxccdf_org.ssgproject.content_rule_mount_option_tmp_noexec
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-mount_option_tmp_noexec:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82139-7

References:  BP28(R12), 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-001764, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040125, 1.1.2.3, SV-230513r627750_rule

Description
The noexec mount option can be used to prevent binaries from being executed out of /tmp. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /tmp.
Rationale
Allowing users to execute binaries from world-writable directories such as /tmp should never be necessary in normal operation and can expose the system to potential compromise.
OVAL test results details

noexec on /tmp optional yes  oval:ssg-test_tmp_partition_noexec_optional_yes:tst:1  true

Following items have been found on the system:
Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/tmp/dev/mapper/rootvg-tmplv10a53d6f-3d9b-403a-a691-083632225621xfsrwseclabelnosuidnodevnoexecrelatimeattr2inode64logbufs=8logbsize=32knoquotabind52172824692497036
Add nosuid Option to /tmpxccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid mediumCCE-82140-5

Add nosuid Option to /tmp

Rule IDxccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-mount_option_tmp_nosuid:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82140-5

References:  BP28(R12), 11, 13, 14, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS05.06, DSS06.06, CCI-001764, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.11.2.9, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.8.2.1, A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3, A.9.1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040124, 1.1.2.4, SV-230512r627750_rule

Description
The nosuid mount option can be used to prevent execution of setuid programs in /tmp. The SUID and SGID permissions should not be required in these world-writable directories. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /tmp.
Rationale
The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from temporary storage partitions.
OVAL test results details

nosuid on /tmp optional yes  oval:ssg-test_tmp_partition_nosuid_optional_yes:tst:1  true

Following items have been found on the system:
Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/tmp/dev/mapper/rootvg-tmplv10a53d6f-3d9b-403a-a691-083632225621xfsrwseclabelnosuidnodevnoexecrelatimeattr2inode64logbufs=8logbsize=32knoquotabind52172824692497036
Add nodev Option to /var/log/auditxccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nodev mediumCCE-82080-3

Add nodev Option to /var/log/audit

Rule IDxccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nodev
Result
fail
Multi-check ruleno
OVAL Definition IDoval:ssg-mount_option_var_log_audit_nodev:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82080-3

References:  CCI-001764, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040129, 1.1.6.3, SV-230517r627750_rule

Description
The nodev mount option can be used to prevent device files from being created in /var/log/audit. Legitimate character and block devices should exist only in the /dev directory on the root partition or within chroot jails built for system services. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /var/log/audit.
Rationale
The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails.

Complexity:low
Disruption:high
Reboot:false
Strategy:enable

part /var/log/audit --mountoptions="nodev"

Complexity:low
Disruption:high
Reboot:false
Strategy:configure
- name: 'Add nodev Option to /var/log/audit: Check information associated to mountpoint'
  command: findmnt --fstab '/var/log/audit'
  register: device_name
  failed_when: device_name.rc > 1
  changed_when: false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-82080-3
  - DISA-STIG-RHEL-08-040129
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_var_log_audit_nodev
  - no_reboot_needed

- name: 'Add nodev Option to /var/log/audit: Create mount_info dictionary variable'
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
  - '{{ device_name.stdout_lines[0].split() | list | lower }}'
  - '{{ device_name.stdout_lines[1].split() | list }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - device_name.stdout is defined and device_name.stdout_lines is defined
  - (device_name.stdout | length > 0)
  tags:
  - CCE-82080-3
  - DISA-STIG-RHEL-08-040129
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_var_log_audit_nodev
  - no_reboot_needed

- name: 'Add nodev Option to /var/log/audit: If /var/log/audit not mounted, craft
    mount_info manually'
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
  - - target
    - source
    - fstype
    - options
  - - /var/log/audit
    - ''
    - ''
    - defaults
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - ("--fstab" | length == 0)
  - (device_name.stdout | length == 0)
  tags:
  - CCE-82080-3
  - DISA-STIG-RHEL-08-040129
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_var_log_audit_nodev
  - no_reboot_needed

- name: 'Add nodev Option to /var/log/audit: Make sure nodev option is part of the
    to /var/log/audit options'
  set_fact:
    mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nodev''
      }) }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - mount_info is defined and "nodev" not in mount_info.options
  tags:
  - CCE-82080-3
  - DISA-STIG-RHEL-08-040129
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_var_log_audit_nodev
  - no_reboot_needed

- name: 'Add nodev Option to /var/log/audit: Ensure /var/log/audit is mounted with
    nodev option'
  mount:
    path: /var/log/audit
    src: '{{ mount_info.source }}'
    opts: '{{ mount_info.options }}'
    state: mounted
    fstype: '{{ mount_info.fstype }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
    | length == 0)
  tags:
  - CCE-82080-3
  - DISA-STIG-RHEL-08-040129
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_var_log_audit_nodev
  - no_reboot_needed

Reboot:false
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

function perform_remediation {
    
        mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" "/var/log/audit")"

    grep "$mount_point_match_regexp" -q /etc/fstab \
        || { echo "The mount point '/var/log/audit' is not even in /etc/fstab, so we can't set up mount options" >&2;
                echo "Not remediating, because there is no record of /var/log/audit in /etc/fstab" >&2; return 1; }
    


    mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" /var/log/audit)"

    # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
    if [ "$(grep -c "$mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
        # runtime opts without some automatic kernel/userspace-added defaults
        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
                    | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//")
        [ "$previous_mount_opts" ] && previous_mount_opts+=","
        echo " /var/log/audit  defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab
    # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
    elif [ "$(grep "$mount_point_match_regexp" /etc/fstab | grep -c "nodev")" -eq 0 ]; then
        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
        sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nodev|" /etc/fstab
    fi


    if mkdir -p "/var/log/audit"; then
        if mountpoint -q "/var/log/audit"; then
            mount -o remount --target "/var/log/audit"
        else
            mount --target "/var/log/audit"
        fi
    fi
}

perform_remediation

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi
OVAL test results details

nodev on /var/log/audit optional yes  oval:ssg-test_var_log_audit_partition_nodev_optional_yes:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_var_log_audit_partition_nodev_optional_yes:obj:1 of type partition_object
Mount point
/var/log/audit
Add noexec Option to /var/log/auditxccdf_org.ssgproject.content_rule_mount_option_var_log_audit_noexec mediumCCE-82975-4

Add noexec Option to /var/log/audit

Rule IDxccdf_org.ssgproject.content_rule_mount_option_var_log_audit_noexec
Result
fail
Multi-check ruleno
OVAL Definition IDoval:ssg-mount_option_var_log_audit_noexec:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82975-4

References:  CCI-001764, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040131, 1.1.6.2, SV-230519r627750_rule

Description
The noexec mount option can be used to prevent binaries from being executed out of /var/log/audit. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /var/log/audit.
Rationale
Allowing users to execute binaries from directories containing audit log files such as /var/log/audit should never be necessary in normal operation and can expose the system to potential compromise.

Complexity:low
Disruption:high
Reboot:false
Strategy:enable

part /var/log/audit --mountoptions="noexec"

Complexity:low
Disruption:high
Reboot:false
Strategy:configure
- name: 'Add noexec Option to /var/log/audit: Check information associated to mountpoint'
  command: findmnt --fstab '/var/log/audit'
  register: device_name
  failed_when: device_name.rc > 1
  changed_when: false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-82975-4
  - DISA-STIG-RHEL-08-040131
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_var_log_audit_noexec
  - no_reboot_needed

- name: 'Add noexec Option to /var/log/audit: Create mount_info dictionary variable'
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
  - '{{ device_name.stdout_lines[0].split() | list | lower }}'
  - '{{ device_name.stdout_lines[1].split() | list }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - device_name.stdout is defined and device_name.stdout_lines is defined
  - (device_name.stdout | length > 0)
  tags:
  - CCE-82975-4
  - DISA-STIG-RHEL-08-040131
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_var_log_audit_noexec
  - no_reboot_needed

- name: 'Add noexec Option to /var/log/audit: If /var/log/audit not mounted, craft
    mount_info manually'
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
  - - target
    - source
    - fstype
    - options
  - - /var/log/audit
    - ''
    - ''
    - defaults
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - ("--fstab" | length == 0)
  - (device_name.stdout | length == 0)
  tags:
  - CCE-82975-4
  - DISA-STIG-RHEL-08-040131
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_var_log_audit_noexec
  - no_reboot_needed

- name: 'Add noexec Option to /var/log/audit: Make sure noexec option is part of the
    to /var/log/audit options'
  set_fact:
    mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',noexec''
      }) }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - mount_info is defined and "noexec" not in mount_info.options
  tags:
  - CCE-82975-4
  - DISA-STIG-RHEL-08-040131
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_var_log_audit_noexec
  - no_reboot_needed

- name: 'Add noexec Option to /var/log/audit: Ensure /var/log/audit is mounted with
    noexec option'
  mount:
    path: /var/log/audit
    src: '{{ mount_info.source }}'
    opts: '{{ mount_info.options }}'
    state: mounted
    fstype: '{{ mount_info.fstype }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
    | length == 0)
  tags:
  - CCE-82975-4
  - DISA-STIG-RHEL-08-040131
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_var_log_audit_noexec
  - no_reboot_needed

Reboot:false
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

function perform_remediation {
    
        mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" "/var/log/audit")"

    grep "$mount_point_match_regexp" -q /etc/fstab \
        || { echo "The mount point '/var/log/audit' is not even in /etc/fstab, so we can't set up mount options" >&2;
                echo "Not remediating, because there is no record of /var/log/audit in /etc/fstab" >&2; return 1; }
    


    mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" /var/log/audit)"

    # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
    if [ "$(grep -c "$mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
        # runtime opts without some automatic kernel/userspace-added defaults
        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
                    | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//")
        [ "$previous_mount_opts" ] && previous_mount_opts+=","
        echo " /var/log/audit  defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab
    # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
    elif [ "$(grep "$mount_point_match_regexp" /etc/fstab | grep -c "noexec")" -eq 0 ]; then
        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
        sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab
    fi


    if mkdir -p "/var/log/audit"; then
        if mountpoint -q "/var/log/audit"; then
            mount -o remount --target "/var/log/audit"
        else
            mount --target "/var/log/audit"
        fi
    fi
}

perform_remediation

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi
OVAL test results details

noexec on /var/log/audit optional yes  oval:ssg-test_var_log_audit_partition_noexec_optional_yes:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_var_log_audit_partition_noexec_optional_yes:obj:1 of type partition_object
Mount point
/var/log/audit
Add nosuid Option to /var/log/auditxccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nosuid mediumCCE-82921-8

Add nosuid Option to /var/log/audit

Rule IDxccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nosuid
Result
fail
Multi-check ruleno
OVAL Definition IDoval:ssg-mount_option_var_log_audit_nosuid:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82921-8

References:  CCI-001764, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040130, 1.1.6.4, SV-230518r627750_rule

Description
The nosuid mount option can be used to prevent execution of setuid programs in /var/log/audit. The SUID and SGID permissions should not be required in directories containing audit log files. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /var/log/audit.
Rationale
The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from partitions designated for audit log files.

Complexity:low
Disruption:high
Reboot:false
Strategy:enable

part /var/log/audit --mountoptions="nosuid"

Complexity:low
Disruption:high
Reboot:false
Strategy:configure
- name: 'Add nosuid Option to /var/log/audit: Check information associated to mountpoint'
  command: findmnt --fstab '/var/log/audit'
  register: device_name
  failed_when: device_name.rc > 1
  changed_when: false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-82921-8
  - DISA-STIG-RHEL-08-040130
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_var_log_audit_nosuid
  - no_reboot_needed

- name: 'Add nosuid Option to /var/log/audit: Create mount_info dictionary variable'
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
  - '{{ device_name.stdout_lines[0].split() | list | lower }}'
  - '{{ device_name.stdout_lines[1].split() | list }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - device_name.stdout is defined and device_name.stdout_lines is defined
  - (device_name.stdout | length > 0)
  tags:
  - CCE-82921-8
  - DISA-STIG-RHEL-08-040130
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_var_log_audit_nosuid
  - no_reboot_needed

- name: 'Add nosuid Option to /var/log/audit: If /var/log/audit not mounted, craft
    mount_info manually'
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
  - - target
    - source
    - fstype
    - options
  - - /var/log/audit
    - ''
    - ''
    - defaults
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - ("--fstab" | length == 0)
  - (device_name.stdout | length == 0)
  tags:
  - CCE-82921-8
  - DISA-STIG-RHEL-08-040130
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_var_log_audit_nosuid
  - no_reboot_needed

- name: 'Add nosuid Option to /var/log/audit: Make sure nosuid option is part of the
    to /var/log/audit options'
  set_fact:
    mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid''
      }) }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - mount_info is defined and "nosuid" not in mount_info.options
  tags:
  - CCE-82921-8
  - DISA-STIG-RHEL-08-040130
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_var_log_audit_nosuid
  - no_reboot_needed

- name: 'Add nosuid Option to /var/log/audit: Ensure /var/log/audit is mounted with
    nosuid option'
  mount:
    path: /var/log/audit
    src: '{{ mount_info.source }}'
    opts: '{{ mount_info.options }}'
    state: mounted
    fstype: '{{ mount_info.fstype }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
    | length == 0)
  tags:
  - CCE-82921-8
  - DISA-STIG-RHEL-08-040130
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_var_log_audit_nosuid
  - no_reboot_needed

Reboot:false
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

function perform_remediation {
    
        mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" "/var/log/audit")"

    grep "$mount_point_match_regexp" -q /etc/fstab \
        || { echo "The mount point '/var/log/audit' is not even in /etc/fstab, so we can't set up mount options" >&2;
                echo "Not remediating, because there is no record of /var/log/audit in /etc/fstab" >&2; return 1; }
    


    mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" /var/log/audit)"

    # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
    if [ "$(grep -c "$mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
        # runtime opts without some automatic kernel/userspace-added defaults
        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
                    | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//")
        [ "$previous_mount_opts" ] && previous_mount_opts+=","
        echo " /var/log/audit  defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab
    # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
    elif [ "$(grep "$mount_point_match_regexp" /etc/fstab | grep -c "nosuid")" -eq 0 ]; then
        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
        sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab
    fi


    if mkdir -p "/var/log/audit"; then
        if mountpoint -q "/var/log/audit"; then
            mount -o remount --target "/var/log/audit"
        else
            mount --target "/var/log/audit"
        fi
    fi
}

perform_remediation

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi
OVAL test results details

nosuid on /var/log/audit optional yes  oval:ssg-test_var_log_audit_partition_nosuid_optional_yes:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_var_log_audit_partition_nosuid_optional_yes:obj:1 of type partition_object
Mount point
/var/log/audit
Add nodev Option to /var/logxccdf_org.ssgproject.content_rule_mount_option_var_log_nodev mediumCCE-82077-9

Add nodev Option to /var/log

Rule IDxccdf_org.ssgproject.content_rule_mount_option_var_log_nodev
Result
fail
Multi-check ruleno
OVAL Definition IDoval:ssg-mount_option_var_log_nodev:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82077-9

References:  CCI-001764, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040126, 1.1.5.2, SV-230514r627750_rule

Description
The nodev mount option can be used to prevent device files from being created in /var/log. Legitimate character and block devices should exist only in the /dev directory on the root partition or within chroot jails built for system services. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /var/log.
Rationale
The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails.

Complexity:low
Disruption:high
Reboot:false
Strategy:enable

part /var/log --mountoptions="nodev"

Complexity:low
Disruption:high
Reboot:false
Strategy:configure
- name: 'Add nodev Option to /var/log: Check information associated to mountpoint'
  command: findmnt --fstab '/var/log'
  register: device_name
  failed_when: device_name.rc > 1
  changed_when: false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-82077-9
  - DISA-STIG-RHEL-08-040126
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_var_log_nodev
  - no_reboot_needed

- name: 'Add nodev Option to /var/log: Create mount_info dictionary variable'
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
  - '{{ device_name.stdout_lines[0].split() | list | lower }}'
  - '{{ device_name.stdout_lines[1].split() | list }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - device_name.stdout is defined and device_name.stdout_lines is defined
  - (device_name.stdout | length > 0)
  tags:
  - CCE-82077-9
  - DISA-STIG-RHEL-08-040126
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_var_log_nodev
  - no_reboot_needed

- name: 'Add nodev Option to /var/log: If /var/log not mounted, craft mount_info manually'
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
  - - target
    - source
    - fstype
    - options
  - - /var/log
    - ''
    - ''
    - defaults
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - ("--fstab" | length == 0)
  - (device_name.stdout | length == 0)
  tags:
  - CCE-82077-9
  - DISA-STIG-RHEL-08-040126
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_var_log_nodev
  - no_reboot_needed

- name: 'Add nodev Option to /var/log: Make sure nodev option is part of the to /var/log
    options'
  set_fact:
    mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nodev''
      }) }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - mount_info is defined and "nodev" not in mount_info.options
  tags:
  - CCE-82077-9
  - DISA-STIG-RHEL-08-040126
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_var_log_nodev
  - no_reboot_needed

- name: 'Add nodev Option to /var/log: Ensure /var/log is mounted with nodev option'
  mount:
    path: /var/log
    src: '{{ mount_info.source }}'
    opts: '{{ mount_info.options }}'
    state: mounted
    fstype: '{{ mount_info.fstype }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
    | length == 0)
  tags:
  - CCE-82077-9
  - DISA-STIG-RHEL-08-040126
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_var_log_nodev
  - no_reboot_needed

Reboot:false
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

function perform_remediation {
    
        mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" "/var/log")"

    grep "$mount_point_match_regexp" -q /etc/fstab \
        || { echo "The mount point '/var/log' is not even in /etc/fstab, so we can't set up mount options" >&2;
                echo "Not remediating, because there is no record of /var/log in /etc/fstab" >&2; return 1; }
    


    mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" /var/log)"

    # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
    if [ "$(grep -c "$mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
        # runtime opts without some automatic kernel/userspace-added defaults
        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
                    | sed -E "s/(rw|defaults|seclabel|nodev)(,|$)//g;s/,$//")
        [ "$previous_mount_opts" ] && previous_mount_opts+=","
        echo " /var/log  defaults,${previous_mount_opts}nodev 0 0" >> /etc/fstab
    # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
    elif [ "$(grep "$mount_point_match_regexp" /etc/fstab | grep -c "nodev")" -eq 0 ]; then
        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
        sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nodev|" /etc/fstab
    fi


    if mkdir -p "/var/log"; then
        if mountpoint -q "/var/log"; then
            mount -o remount --target "/var/log"
        else
            mount --target "/var/log"
        fi
    fi
}

perform_remediation

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi
OVAL test results details

nodev on /var/log optional yes  oval:ssg-test_var_log_partition_nodev_optional_yes:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_var_log_partition_nodev_optional_yes:obj:1 of type partition_object
Mount point
/var/log
Add noexec Option to /var/logxccdf_org.ssgproject.content_rule_mount_option_var_log_noexec mediumCCE-82008-4

Add noexec Option to /var/log

Rule IDxccdf_org.ssgproject.content_rule_mount_option_var_log_noexec
Result
fail
Multi-check ruleno
OVAL Definition IDoval:ssg-mount_option_var_log_noexec:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82008-4

References:  BP28(R12), CCI-001764, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040128, 1.1.5.3, SV-230516r627750_rule

Description
The noexec mount option can be used to prevent binaries from being executed out of /var/log. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /var/log.
Rationale
Allowing users to execute binaries from directories containing log files such as /var/log should never be necessary in normal operation and can expose the system to potential compromise.

Complexity:low
Disruption:high
Reboot:false
Strategy:enable

part /var/log --mountoptions="noexec"

Complexity:low
Disruption:high
Reboot:false
Strategy:configure
- name: 'Add noexec Option to /var/log: Check information associated to mountpoint'
  command: findmnt --fstab '/var/log'
  register: device_name
  failed_when: device_name.rc > 1
  changed_when: false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-82008-4
  - DISA-STIG-RHEL-08-040128
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_var_log_noexec
  - no_reboot_needed

- name: 'Add noexec Option to /var/log: Create mount_info dictionary variable'
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
  - '{{ device_name.stdout_lines[0].split() | list | lower }}'
  - '{{ device_name.stdout_lines[1].split() | list }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - device_name.stdout is defined and device_name.stdout_lines is defined
  - (device_name.stdout | length > 0)
  tags:
  - CCE-82008-4
  - DISA-STIG-RHEL-08-040128
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_var_log_noexec
  - no_reboot_needed

- name: 'Add noexec Option to /var/log: If /var/log not mounted, craft mount_info
    manually'
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
  - - target
    - source
    - fstype
    - options
  - - /var/log
    - ''
    - ''
    - defaults
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - ("--fstab" | length == 0)
  - (device_name.stdout | length == 0)
  tags:
  - CCE-82008-4
  - DISA-STIG-RHEL-08-040128
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_var_log_noexec
  - no_reboot_needed

- name: 'Add noexec Option to /var/log: Make sure noexec option is part of the to
    /var/log options'
  set_fact:
    mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',noexec''
      }) }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - mount_info is defined and "noexec" not in mount_info.options
  tags:
  - CCE-82008-4
  - DISA-STIG-RHEL-08-040128
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_var_log_noexec
  - no_reboot_needed

- name: 'Add noexec Option to /var/log: Ensure /var/log is mounted with noexec option'
  mount:
    path: /var/log
    src: '{{ mount_info.source }}'
    opts: '{{ mount_info.options }}'
    state: mounted
    fstype: '{{ mount_info.fstype }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
    | length == 0)
  tags:
  - CCE-82008-4
  - DISA-STIG-RHEL-08-040128
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_var_log_noexec
  - no_reboot_needed

Reboot:false
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

function perform_remediation {
    
        mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" "/var/log")"

    grep "$mount_point_match_regexp" -q /etc/fstab \
        || { echo "The mount point '/var/log' is not even in /etc/fstab, so we can't set up mount options" >&2;
                echo "Not remediating, because there is no record of /var/log in /etc/fstab" >&2; return 1; }
    


    mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" /var/log)"

    # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
    if [ "$(grep -c "$mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
        # runtime opts without some automatic kernel/userspace-added defaults
        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
                    | sed -E "s/(rw|defaults|seclabel|noexec)(,|$)//g;s/,$//")
        [ "$previous_mount_opts" ] && previous_mount_opts+=","
        echo " /var/log  defaults,${previous_mount_opts}noexec 0 0" >> /etc/fstab
    # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
    elif [ "$(grep "$mount_point_match_regexp" /etc/fstab | grep -c "noexec")" -eq 0 ]; then
        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
        sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,noexec|" /etc/fstab
    fi


    if mkdir -p "/var/log"; then
        if mountpoint -q "/var/log"; then
            mount -o remount --target "/var/log"
        else
            mount --target "/var/log"
        fi
    fi
}

perform_remediation

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi
OVAL test results details

noexec on /var/log optional yes  oval:ssg-test_var_log_partition_noexec_optional_yes:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_var_log_partition_noexec_optional_yes:obj:1 of type partition_object
Mount point
/var/log
Add nosuid Option to /var/logxccdf_org.ssgproject.content_rule_mount_option_var_log_nosuid mediumCCE-82065-4

Add nosuid Option to /var/log

Rule IDxccdf_org.ssgproject.content_rule_mount_option_var_log_nosuid
Result
fail
Multi-check ruleno
OVAL Definition IDoval:ssg-mount_option_var_log_nosuid:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82065-4

References:  BP28(R12), CCI-001764, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, RHEL-08-040127, 1.1.5.4, SV-230515r627750_rule

Description
The nosuid mount option can be used to prevent execution of setuid programs in /var/log. The SUID and SGID permissions should not be required in directories containing log files. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /var/log.
Rationale
The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from partitions designated for log files.

Complexity:low
Disruption:high
Reboot:false
Strategy:enable

part /var/log --mountoptions="nosuid"

Complexity:low
Disruption:high
Reboot:false
Strategy:configure
- name: 'Add nosuid Option to /var/log: Check information associated to mountpoint'
  command: findmnt --fstab '/var/log'
  register: device_name
  failed_when: device_name.rc > 1
  changed_when: false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-82065-4
  - DISA-STIG-RHEL-08-040127
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_var_log_nosuid
  - no_reboot_needed

- name: 'Add nosuid Option to /var/log: Create mount_info dictionary variable'
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
  - '{{ device_name.stdout_lines[0].split() | list | lower }}'
  - '{{ device_name.stdout_lines[1].split() | list }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - device_name.stdout is defined and device_name.stdout_lines is defined
  - (device_name.stdout | length > 0)
  tags:
  - CCE-82065-4
  - DISA-STIG-RHEL-08-040127
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_var_log_nosuid
  - no_reboot_needed

- name: 'Add nosuid Option to /var/log: If /var/log not mounted, craft mount_info
    manually'
  set_fact:
    mount_info: '{{ mount_info|default({})|combine({item.0: item.1}) }}'
  with_together:
  - - target
    - source
    - fstype
    - options
  - - /var/log
    - ''
    - ''
    - defaults
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - ("--fstab" | length == 0)
  - (device_name.stdout | length == 0)
  tags:
  - CCE-82065-4
  - DISA-STIG-RHEL-08-040127
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_var_log_nosuid
  - no_reboot_needed

- name: 'Add nosuid Option to /var/log: Make sure nosuid option is part of the to
    /var/log options'
  set_fact:
    mount_info: '{{ mount_info | combine( {''options'':''''~mount_info.options~'',nosuid''
      }) }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - mount_info is defined and "nosuid" not in mount_info.options
  tags:
  - CCE-82065-4
  - DISA-STIG-RHEL-08-040127
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_var_log_nosuid
  - no_reboot_needed

- name: 'Add nosuid Option to /var/log: Ensure /var/log is mounted with nosuid option'
  mount:
    path: /var/log
    src: '{{ mount_info.source }}'
    opts: '{{ mount_info.options }}'
    state: mounted
    fstype: '{{ mount_info.fstype }}'
  when:
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
    | length == 0)
  tags:
  - CCE-82065-4
  - DISA-STIG-RHEL-08-040127
  - NIST-800-53-AC-6
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - NIST-800-53-CM-7(a)
  - NIST-800-53-CM-7(b)
  - NIST-800-53-MP-7
  - configure_strategy
  - high_disruption
  - low_complexity
  - medium_severity
  - mount_option_var_log_nosuid
  - no_reboot_needed

Reboot:false
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

function perform_remediation {
    
        mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" "/var/log")"

    grep "$mount_point_match_regexp" -q /etc/fstab \
        || { echo "The mount point '/var/log' is not even in /etc/fstab, so we can't set up mount options" >&2;
                echo "Not remediating, because there is no record of /var/log in /etc/fstab" >&2; return 1; }
    


    mount_point_match_regexp="$(printf "[[:space:]]%s[[:space:]]" /var/log)"

    # If the mount point is not in /etc/fstab, get previous mount options from /etc/mtab
    if [ "$(grep -c "$mount_point_match_regexp" /etc/fstab)" -eq 0 ]; then
        # runtime opts without some automatic kernel/userspace-added defaults
        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/mtab | head -1 |  awk '{print $4}' \
                    | sed -E "s/(rw|defaults|seclabel|nosuid)(,|$)//g;s/,$//")
        [ "$previous_mount_opts" ] && previous_mount_opts+=","
        echo " /var/log  defaults,${previous_mount_opts}nosuid 0 0" >> /etc/fstab
    # If the mount_opt option is not already in the mount point's /etc/fstab entry, add it
    elif [ "$(grep "$mount_point_match_regexp" /etc/fstab | grep -c "nosuid")" -eq 0 ]; then
        previous_mount_opts=$(grep "$mount_point_match_regexp" /etc/fstab | awk '{print $4}')
        sed -i "s|\(${mount_point_match_regexp}.*${previous_mount_opts}\)|\1,nosuid|" /etc/fstab
    fi


    if mkdir -p "/var/log"; then
        if mountpoint -q "/var/log"; then
            mount -o remount --target "/var/log"
        else
            mount --target "/var/log"
        fi
    fi
}

perform_remediation

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi
OVAL test results details

nosuid on /var/log optional yes  oval:ssg-test_var_log_partition_nosuid_optional_yes:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_var_log_partition_nosuid_optional_yes:obj:1 of type partition_object
Mount point
/var/log
Add nodev Option to /varxccdf_org.ssgproject.content_rule_mount_option_var_nodev mediumCCE-82062-1

Add nodev Option to /var

Rule IDxccdf_org.ssgproject.content_rule_mount_option_var_nodev
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-mount_option_var_nodev:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82062-1

References:  CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-6, AC-6(1), MP-7, PR.IP-1, PR.PT-2, PR.PT-3, SRG-OS-000368-GPOS-00154, 1.1.3.2

Description
The nodev mount option can be used to prevent device files from being created in /var. Legitimate character and block devices should exist only in the /dev directory on the root partition or within chroot jails built for system services. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /var.
Rationale
The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails.
OVAL test results details

nodev on /var optional yes  oval:ssg-test_var_partition_nodev_optional_yes:tst:1  true

Following items have been found on the system:
Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/var/dev/mapper/rootvg-varlv2e953a84-ce4d-4d23-9527-029c4011938cxfsrwseclabelnosuidnodevnoexecrelatimeattr2inode64logbufs=8logbsize=32knoquotabind20945921452681949324
Add noexec Option to /varxccdf_org.ssgproject.content_rule_mount_option_var_noexec mediumCCE-83330-1

Add noexec Option to /var

Rule IDxccdf_org.ssgproject.content_rule_mount_option_var_noexec
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-mount_option_var_noexec:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83330-1

References:  BP28(R12), 1.1.3.3

Description
The noexec mount option can be used to prevent binaries from being executed out of /var. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /var.
Rationale
The /var directory contains variable system data such as logs, mails and caches. No binaries should be executed from this directory.
OVAL test results details

noexec on /var optional yes  oval:ssg-test_var_partition_noexec_optional_yes:tst:1  true

Following items have been found on the system:
Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/var/dev/mapper/rootvg-varlv2e953a84-ce4d-4d23-9527-029c4011938cxfsrwseclabelnosuidnodevnoexecrelatimeattr2inode64logbufs=8logbsize=32knoquotabind20945921452681949324
Add nosuid Option to /varxccdf_org.ssgproject.content_rule_mount_option_var_nosuid unknownCCE-83383-0

Add nosuid Option to /var

Rule IDxccdf_org.ssgproject.content_rule_mount_option_var_nosuid
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-mount_option_var_nosuid:def:1
Time2022-11-07T15:05:53+00:00
Severityunknown
Identifiers and References

Identifiers:  CCE-83383-0

References:  BP28(R12), 1.1.3.4

Description
The nosuid mount option can be used to prevent execution of setuid programs in /var. The SUID and SGID permissions should not be required for this directory. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /var.
Rationale
The presence of SUID and SGID executables should be tightly controlled.
OVAL test results details

nosuid on /var optional yes  oval:ssg-test_var_partition_nosuid_optional_yes:tst:1  true

Following items have been found on the system:
Mount pointDeviceUuidFs typeMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsMount optionsTotal spaceSpace usedSpace left
/var/dev/mapper/rootvg-varlv2e953a84-ce4d-4d23-9527-029c4011938cxfsrwseclabelnosuidnodevnoexecrelatimeattr2inode64logbufs=8logbsize=32knoquotabind20945921452681949324
Add nodev Option to /var/tmpxccdf_org.ssgproject.content_rule_mount_option_var_tmp_nodev mediumCCE-82068-8

Add nodev Option to /var/tmp

Rule IDxccdf_org.ssgproject.content_rule_mount_option_var_tmp_nodev
Result
notapplicable
Multi-check ruleno
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82068-8

References:  BP28(R12), CCI-001764, SRG-OS-000368-GPOS-00154, RHEL-08-040132, 1.1.4.4, SV-230520r792927_rule

Description
The nodev mount option can be used to prevent device files from being created in /var/tmp. Legitimate character and block devices should not exist within temporary directories like /var/tmp. Add the nodev option to the fourth column of /etc/fstab for the line which controls mounting of /var/tmp.
Rationale
The only legitimate location for device files is the /dev directory located on the root partition. The only exception to this is chroot jails.
Add noexec Option to /var/tmpxccdf_org.ssgproject.content_rule_mount_option_var_tmp_noexec mediumCCE-82151-2

Add noexec Option to /var/tmp

Rule IDxccdf_org.ssgproject.content_rule_mount_option_var_tmp_noexec
Result
notapplicable
Multi-check ruleno
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82151-2

References:  BP28(R12), CCI-001764, SRG-OS-000368-GPOS-00154, RHEL-08-040134, 1.1.4.2, SV-230522r792933_rule

Description
The noexec mount option can be used to prevent binaries from being executed out of /var/tmp. Add the noexec option to the fourth column of /etc/fstab for the line which controls mounting of /var/tmp.
Rationale
Allowing users to execute binaries from world-writable directories such as /var/tmp should never be necessary in normal operation and can expose the system to potential compromise.
Add nosuid Option to /var/tmpxccdf_org.ssgproject.content_rule_mount_option_var_tmp_nosuid mediumCCE-82154-6

Add nosuid Option to /var/tmp

Rule IDxccdf_org.ssgproject.content_rule_mount_option_var_tmp_nosuid
Result
notapplicable
Multi-check ruleno
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82154-6

References:  BP28(R12), CCI-001764, SRG-OS-000368-GPOS-00154, RHEL-08-040133, 1.1.4.3, SV-230521r792930_rule

Description
The nosuid mount option can be used to prevent execution of setuid programs in /var/tmp. The SUID and SGID permissions should not be required in these world-writable directories. Add the nosuid option to the fourth column of /etc/fstab for the line which controls mounting of /var/tmp.
Rationale
The presence of SUID and SGID executables should be tightly controlled. Users should not be able to execute SUID or SGID binaries from temporary storage partitions.
Disable core dump backtracesxccdf_org.ssgproject.content_rule_coredump_disable_backtraces mediumCCE-82251-0

Disable core dump backtraces

Rule IDxccdf_org.ssgproject.content_rule_coredump_disable_backtraces
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-coredump_disable_backtraces:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82251-0

References:  CCI-000366, CM-6, FMT_SMF_EXT.1, SRG-OS-000480-GPOS-00227, RHEL-08-010675, 1.5.2, SV-230315r627750_rule

Description
The ProcessSizeMax option in [Coredump] section of /etc/systemd/coredump.conf specifies the maximum size in bytes of a core which will be processed. Core dumps exceeding this size may be stored, but the backtrace will not be generated.
Rationale
A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers or system operators trying to debug problems. Enabling core dumps on production systems is not recommended, however there may be overriding operational requirements to enable advanced debuging. Permitting temporary enablement of core dumps during such situations should be reviewed through local needs and policy.
Warnings
warning  If the /etc/systemd/coredump.conf file does not already contain the [Coredump] section, the value will not be configured correctly.
OVAL test results details

tests the value of ProcessSizeMax setting in the /etc/systemd/coredump.conf file  oval:ssg-test_coredump_disable_backtraces:tst:1  true

Following items have been found on the system:
PathContent
/etc/systemd/coredump.conf [Coredump] #Storage=external #Compress=yes #ProcessSizeMax=2G #ExternalSizeMax=2G #JournalSizeMax=767M #MaxUse= #KeepFree= ProcessSizeMax=0
Disable storing core dumpxccdf_org.ssgproject.content_rule_coredump_disable_storage mediumCCE-82252-8

Disable storing core dump

Rule IDxccdf_org.ssgproject.content_rule_coredump_disable_storage
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-coredump_disable_storage:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82252-8

References:  CCI-000366, CM-6, FMT_SMF_EXT.1, SRG-OS-000480-GPOS-00227, RHEL-08-010674, 1.5.1, SV-230314r627750_rule

Description
The Storage option in [Coredump] section of /etc/systemd/coredump.conf can be set to none to disable storing core dumps permanently.
Rationale
A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers or system operators trying to debug problems. Enabling core dumps on production systems is not recommended, however there may be overriding operational requirements to enable advanced debuging. Permitting temporary enablement of core dumps during such situations should be reviewed through local needs and policy.
Warnings
warning  If the /etc/systemd/coredump.conf file does not already contain the [Coredump] section, the value will not be configured correctly.
OVAL test results details

tests the value of Storage setting in the /etc/systemd/coredump.conf file  oval:ssg-test_coredump_disable_storage:tst:1  true

Following items have been found on the system:
PathContent
/etc/systemd/coredump.conf [Coredump] #Storage=external #Compress=yes #ProcessSizeMax=2G #ExternalSizeMax=2G #JournalSizeMax=767M #MaxUse= #KeepFree= ProcessSizeMax=0 Storage=none
Enable Randomized Layout of Virtual Address Spacexccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space mediumCCE-80916-0

Enable Randomized Layout of Virtual Address Space

Rule IDxccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sysctl_kernel_randomize_va_space:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80916-0

References:  BP28(R23), 3.1.7, CCI-000366, CCI-002824, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), CIP-002-5 R1.1, CIP-002-5 R1.2, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 4.1, CIP-004-6 4.2, CIP-004-6 R2.2.3, CIP-004-6 R2.2.4, CIP-004-6 R2.3, CIP-004-6 R4, CIP-005-6 R1, CIP-005-6 R1.1, CIP-005-6 R1.2, CIP-007-3 R3, CIP-007-3 R3.1, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.1.3, CIP-007-3 R5.2.1, CIP-007-3 R5.2.3, CIP-007-3 R8.4, CIP-009-6 R.1.1, CIP-009-6 R4, SC-30, SC-30(2), CM-6(a), SRG-OS-000433-GPOS-00193, SRG-OS-000480-GPOS-00227, RHEL-08-010430, 1.5.3, SV-230280r833303_rule

Description
To set the runtime status of the kernel.randomize_va_space kernel parameter, run the following command:
$ sudo sysctl -w kernel.randomize_va_space=2
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
kernel.randomize_va_space = 2
Rationale
Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code they have introduced into a process's address space during an attempt at exploitation. Additionally, ASLR makes it more difficult for an attacker to know the location of existing code in order to re-purpose it using return oriented programming (ROP) techniques.
OVAL test results details

kernel.randomize_va_space static configuration  oval:ssg-test_sysctl_kernel_randomize_va_space_static:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.confkernel.randomize_va_space=2

kernel.randomize_va_space static configuration in /etc/sysctl.d/*.conf  oval:ssg-test_sysctl_kernel_randomize_va_space_static_etc_sysctld:tst:1  true

Following items have been found on the system:
PathContent
/etc/sysctl.d/99-sysctl.confkernel.randomize_va_space=2

kernel.randomize_va_space static configuration in /run/sysctl.d/*.conf  oval:ssg-test_sysctl_kernel_randomize_va_space_static_run_sysctld:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_static_run_sysctld_sysctl_kernel_randomize_va_space:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/run/sysctl.d^.*\.conf$^[\s]*kernel.randomize_va_space[\s]*=[\s]*(.*)[\s]*$1

Check that only one file contains kernel_randomize_va_space  oval:ssg-test_sysctl_kernel_randomize_va_space_defined_in_one_file:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-local_var_sysctl_kernel_randomize_va_space_counter:var:11

kernel runtime parameter kernel.randomize_va_space set to 2  oval:ssg-test_sysctl_kernel_randomize_va_space_runtime:tst:1  true

Following items have been found on the system:
NameValue
kernel.randomize_va_space2
Install libselinux Packagexccdf_org.ssgproject.content_rule_package_libselinux_installed highCCE-82877-2

Install libselinux Package

Rule IDxccdf_org.ssgproject.content_rule_package_libselinux_installed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_libselinux_installed:def:1
Time2022-11-07T15:05:53+00:00
Severityhigh
Identifiers and References

Identifiers:  CCE-82877-2

References:  1.6.1.1

Description
The libselinux package can be installed with the following command:
$ sudo yum install libselinux
Rationale
Security-enhanced Linux is a feature of the Linux kernel and a number of utilities with enhanced security functionality designed to add mandatory access controls to Linux. The libselinux package contains the core library of the Security-enhanced Linux system.
OVAL test results details

package libselinux is installed  oval:ssg-test_package_libselinux_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
libselinuxx86_64(none)5.el82.90:2.9-5.el8199e2f91fd431d51libselinux-0:2.9-5.el8.x86_64
Uninstall mcstrans Packagexccdf_org.ssgproject.content_rule_package_mcstrans_removed lowCCE-82756-8

Uninstall mcstrans Package

Rule IDxccdf_org.ssgproject.content_rule_package_mcstrans_removed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_mcstrans_removed:def:1
Time2022-11-07T15:05:53+00:00
Severitylow
Identifiers and References

Identifiers:  CCE-82756-8

References:  1.6.1.8

Description
The mcstransd daemon provides category label information to client processes requesting information. The label translations are defined in /etc/selinux/targeted/setrans.conf. The mcstrans package can be removed with the following command:
$ sudo yum erase mcstrans
Rationale
Since this service is not used very often, disable it to reduce the amount of potentially vulnerable code running on the system.
OVAL test results details

package mcstrans is removed  oval:ssg-test_package_mcstrans_removed:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_mcstrans_removed:obj:1 of type rpminfo_object
Name
mcstrans
Uninstall setroubleshoot Packagexccdf_org.ssgproject.content_rule_package_setroubleshoot_removed lowCCE-82755-0

Uninstall setroubleshoot Package

Rule IDxccdf_org.ssgproject.content_rule_package_setroubleshoot_removed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_setroubleshoot_removed:def:1
Time2022-11-07T15:05:53+00:00
Severitylow
Identifiers and References

Identifiers:  CCE-82755-0

References:  BP28(R68), 1.6.1.7

Description
The SETroubleshoot service notifies desktop users of SELinux denials. The service provides information around configuration errors, unauthorized intrusions, and other potential errors. The setroubleshoot package can be removed with the following command:
$ sudo yum erase setroubleshoot
Rationale
The SETroubleshoot service is an unnecessary daemon to have running on a server, especially if X Windows is removed or disabled.
OVAL test results details

package setroubleshoot is removed  oval:ssg-test_package_setroubleshoot_removed:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_setroubleshoot_removed:obj:1 of type rpminfo_object
Name
setroubleshoot
Ensure SELinux Not Disabled in /etc/default/grubxccdf_org.ssgproject.content_rule_grub2_enable_selinux mediumCCE-80827-9

Ensure SELinux Not Disabled in /etc/default/grub

Rule IDxccdf_org.ssgproject.content_rule_grub2_enable_selinux
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-grub2_enable_selinux:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80827-9

References:  1, 11, 12, 13, 14, 15, 16, 18, 3, 4, 5, 6, 8, 9, APO01.06, APO11.04, APO13.01, BAI03.05, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, MEA02.01, 3.1.2, 3.7.2, CCI-000022, CCI-000032, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), 4.2.3.4, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, AC-3, AC-3(3)(a), DE.AE-1, ID.AM-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.DS-5, PR.PT-1, PR.PT-3, PR.PT-4, SRG-OS-000445-VMM-001780, 1.6.1.2

Description
SELinux can be disabled at boot time by an argument in /etc/default/grub. Remove any instances of selinux=0 from the kernel arguments in that file to prevent SELinux from being disabled at boot.
Rationale
Disabling a major host protection feature, such as SELinux, at boot time prevents it from confining system services at boot time. Further, it increases the chances that it will remain off during system operation.
OVAL test results details

check value selinux|enforcing=0 in /etc/default/grub, fail if found  oval:ssg-test_selinux_default_grub:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_selinux_default_grub:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/default/grub^[\s]*GRUB_CMDLINE_LINUX.*(selinux|enforcing)=0.*$1

check value selinux|enforcing=0 in /etc/grub2.cfg, fail if found  oval:ssg-test_selinux_grub2_cfg:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_selinux_grub2_cfg:obj:1 of type textfilecontent54_object
FilepathPatternInstance
/etc/grub2.cfg^.*(selinux|enforcing)=0.*$1

check value selinux|enforcing=0 in /etc/grub.d fail if found  oval:ssg-test_selinux_grub_dir:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_selinux_grub_dir:obj:1 of type textfilecontent54_object
PathFilenamePatternInstance
/etc/grub.d^.*$^.*(selinux|enforcing)=0.*$1
Ensure No Daemons are Unconfined by SELinuxxccdf_org.ssgproject.content_rule_selinux_confinement_of_daemons mediumCCE-80867-5

Ensure No Daemons are Unconfined by SELinux

Rule IDxccdf_org.ssgproject.content_rule_selinux_confinement_of_daemons
Result
fail
Multi-check ruleno
OVAL Definition IDoval:ssg-selinux_confinement_of_daemons:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80867-5

References:  1, 11, 12, 13, 14, 15, 16, 18, 3, 5, 6, 9, APO01.06, APO11.04, BAI03.05, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.06, MEA02.01, 3.1.2, 3.1.5, 3.7.2, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), 4.3.3.3.9, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 2.8, SR 2.9, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.5.1, A.12.6.2, A.12.7.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, CM-7(a), CM-7(b), CM-6(a), AC-3(3)(a), AC-6, PR.AC-4, PR.DS-5, PR.IP-1, PR.PT-1, PR.PT-3, 1.6.1.6

Description
Daemons for which the SELinux policy does not contain rules will inherit the context of the parent process. Because daemons are launched during startup and descend from the init process, they inherit the unconfined_service_t context.

To check for unconfined daemons, run the following command:
$ sudo ps -eZ | grep "unconfined_service_t"
It should produce no output in a well-configured system.
Rationale
Daemons which run with the unconfined_service_t context may cause AVC denials, or allow privileges that the daemon does not require.
Warnings
warning  Automatic remediation of this control is not available. Remediation can be achieved by amending SELinux policy or stopping the unconfined daemons as outlined above.
OVAL test results details

none satisfy unconfined_service_t in /proc  oval:ssg-test_selinux_confinement_of_daemons:tst:1  false

Following items have been found on the system:
FilepathPathFilenameUserRoleTypeLow sensitivityRawlow sensitivity
/proc/1441/status/proc/1441statussystem_usystem_runconfined_service_ts0s0
/proc/1441/auxv/proc/1441auxvsystem_usystem_runconfined_service_ts0s0
/proc/1441/environ/proc/1441environsystem_usystem_runconfined_service_ts0s0
/proc/1441/personality/proc/1441personalitysystem_usystem_runconfined_service_ts0s0
/proc/1441/limits/proc/1441limitssystem_usystem_runconfined_service_ts0s0
/proc/1441/sched/proc/1441schedsystem_usystem_runconfined_service_ts0s0
/proc/1441/autogroup/proc/1441autogroupsystem_usystem_runconfined_service_ts0s0
/proc/1441/timens_offsets/proc/1441timens_offsetssystem_usystem_runconfined_service_ts0s0
/proc/1441/comm/proc/1441commsystem_usystem_runconfined_service_ts0s0
/proc/1441/syscall/proc/1441syscallsystem_usystem_runconfined_service_ts0s0
/proc/1441/cmdline/proc/1441cmdlinesystem_usystem_runconfined_service_ts0s0
/proc/1441/stat/proc/1441statsystem_usystem_runconfined_service_ts0s0
/proc/1441/statm/proc/1441statmsystem_usystem_runconfined_service_ts0s0
/proc/1441/maps/proc/1441mapssystem_usystem_runconfined_service_ts0s0
/proc/1441/numa_maps/proc/1441numa_mapssystem_usystem_runconfined_service_ts0s0
/proc/1441/mem/proc/1441memsystem_usystem_runconfined_service_ts0s0
/proc/1441/mountinfo/proc/1441mountinfosystem_usystem_runconfined_service_ts0s0
/proc/1441/mounts/proc/1441mountssystem_usystem_runconfined_service_ts0s0
/proc/1441/mountstats/proc/1441mountstatssystem_usystem_runconfined_service_ts0s0
/proc/1441/clear_refs/proc/1441clear_refssystem_usystem_runconfined_service_ts0s0
/proc/1441/smaps/proc/1441smapssystem_usystem_runconfined_service_ts0s0
/proc/1441/smaps_rollup/proc/1441smaps_rollupsystem_usystem_runconfined_service_ts0s0
/proc/1441/pagemap/proc/1441pagemapsystem_usystem_runconfined_service_ts0s0
/proc/1441/wchan/proc/1441wchansystem_usystem_runconfined_service_ts0s0
/proc/1441/stack/proc/1441stacksystem_usystem_runconfined_service_ts0s0
/proc/1441/schedstat/proc/1441schedstatsystem_usystem_runconfined_service_ts0s0
/proc/1441/cpuset/proc/1441cpusetsystem_usystem_runconfined_service_ts0s0
/proc/1441/cgroup/proc/1441cgroupsystem_usystem_runconfined_service_ts0s0
/proc/1441/cpu_resctrl_groups/proc/1441cpu_resctrl_groupssystem_usystem_runconfined_service_ts0s0
/proc/1441/oom_score/proc/1441oom_scoresystem_usystem_runconfined_service_ts0s0
/proc/1441/oom_adj/proc/1441oom_adjsystem_usystem_runconfined_service_ts0s0
/proc/1441/oom_score_adj/proc/1441oom_score_adjsystem_usystem_runconfined_service_ts0s0
/proc/1441/loginuid/proc/1441loginuidsystem_usystem_runconfined_service_ts0s0
/proc/1441/sessionid/proc/1441sessionidsystem_usystem_runconfined_service_ts0s0
/proc/1441/coredump_filter/proc/1441coredump_filtersystem_usystem_runconfined_service_ts0s0
/proc/1441/io/proc/1441iosystem_usystem_runconfined_service_ts0s0
/proc/1441/uid_map/proc/1441uid_mapsystem_usystem_runconfined_service_ts0s0
/proc/1441/gid_map/proc/1441gid_mapsystem_usystem_runconfined_service_ts0s0
/proc/1441/projid_map/proc/1441projid_mapsystem_usystem_runconfined_service_ts0s0
/proc/1441/setgroups/proc/1441setgroupssystem_usystem_runconfined_service_ts0s0
/proc/1441/timers/proc/1441timerssystem_usystem_runconfined_service_ts0s0
/proc/1441/timerslack_ns/proc/1441timerslack_nssystem_usystem_runconfined_service_ts0s0
/proc/3457/mounts/proc/3457mountssystem_usystem_runconfined_service_ts0s0
/proc/1441/patch_state/proc/1441patch_statesystem_usystem_runconfined_service_ts0s0
/proc/3457/environ/proc/3457environsystem_usystem_runconfined_service_ts0s0
/proc/3457/auxv/proc/3457auxvsystem_usystem_runconfined_service_ts0s0
/proc/3457/status/proc/3457statussystem_usystem_runconfined_service_ts0s0
/proc/3457/personality/proc/3457personalitysystem_usystem_runconfined_service_ts0s0
/proc/3457/limits/proc/3457limitssystem_usystem_runconfined_service_ts0s0
/proc/3457/sched/proc/3457schedsystem_usystem_runconfined_service_ts0s0
/proc/3457/autogroup/proc/3457autogroupsystem_usystem_runconfined_service_ts0s0
/proc/3457/timens_offsets/proc/3457timens_offsetssystem_usystem_runconfined_service_ts0s0
/proc/3457/comm/proc/3457commsystem_usystem_runconfined_service_ts0s0
/proc/3457/syscall/proc/3457syscallsystem_usystem_runconfined_service_ts0s0
/proc/3457/cmdline/proc/3457cmdlinesystem_usystem_runconfined_service_ts0s0
/proc/3457/stat/proc/3457statsystem_usystem_runconfined_service_ts0s0
/proc/3457/statm/proc/3457statmsystem_usystem_runconfined_service_ts0s0
/proc/3457/maps/proc/3457mapssystem_usystem_runconfined_service_ts0s0
/proc/3457/numa_maps/proc/3457numa_mapssystem_usystem_runconfined_service_ts0s0
/proc/3457/mem/proc/3457memsystem_usystem_runconfined_service_ts0s0
/proc/3457/mountinfo/proc/3457mountinfosystem_usystem_runconfined_service_ts0s0
/proc/3457/mountstats/proc/3457mountstatssystem_usystem_runconfined_service_ts0s0
/proc/3457/clear_refs/proc/3457clear_refssystem_usystem_runconfined_service_ts0s0
/proc/3457/smaps/proc/3457smapssystem_usystem_runconfined_service_ts0s0
/proc/3457/smaps_rollup/proc/3457smaps_rollupsystem_usystem_runconfined_service_ts0s0
/proc/3457/pagemap/proc/3457pagemapsystem_usystem_runconfined_service_ts0s0
/proc/3457/wchan/proc/3457wchansystem_usystem_runconfined_service_ts0s0
/proc/3457/stack/proc/3457stacksystem_usystem_runconfined_service_ts0s0
/proc/3457/schedstat/proc/3457schedstatsystem_usystem_runconfined_service_ts0s0
/proc/3457/cpuset/proc/3457cpusetsystem_usystem_runconfined_service_ts0s0
/proc/3457/cgroup/proc/3457cgroupsystem_usystem_runconfined_service_ts0s0
/proc/3457/cpu_resctrl_groups/proc/3457cpu_resctrl_groupssystem_usystem_runconfined_service_ts0s0
/proc/3457/oom_score/proc/3457oom_scoresystem_usystem_runconfined_service_ts0s0
/proc/3457/oom_adj/proc/3457oom_adjsystem_usystem_runconfined_service_ts0s0
/proc/3457/oom_score_adj/proc/3457oom_score_adjsystem_usystem_runconfined_service_ts0s0
/proc/3457/loginuid/proc/3457loginuidsystem_usystem_runconfined_service_ts0s0
/proc/3457/sessionid/proc/3457sessionidsystem_usystem_runconfined_service_ts0s0
/proc/3457/coredump_filter/proc/3457coredump_filtersystem_usystem_runconfined_service_ts0s0
/proc/3457/io/proc/3457iosystem_usystem_runconfined_service_ts0s0
/proc/3457/uid_map/proc/3457uid_mapsystem_usystem_runconfined_service_ts0s0
/proc/3457/gid_map/proc/3457gid_mapsystem_usystem_runconfined_service_ts0s0
/proc/3457/projid_map/proc/3457projid_mapsystem_usystem_runconfined_service_ts0s0
/proc/3457/setgroups/proc/3457setgroupssystem_usystem_runconfined_service_ts0s0
/proc/3457/timers/proc/3457timerssystem_usystem_runconfined_service_ts0s0
/proc/3457/timerslack_ns/proc/3457timerslack_nssystem_usystem_runconfined_service_ts0s0
/proc/3457/patch_state/proc/3457patch_statesystem_usystem_runconfined_service_ts0s0
Configure SELinux Policyxccdf_org.ssgproject.content_rule_selinux_policytype mediumCCE-80868-3

Configure SELinux Policy

Rule IDxccdf_org.ssgproject.content_rule_selinux_policytype
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-selinux_policytype:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80868-3

References:  BP28(R66), 1, 11, 12, 13, 14, 15, 16, 18, 3, 4, 5, 6, 8, 9, APO01.06, APO11.04, APO13.01, BAI03.05, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, MEA02.01, 3.1.2, 3.7.2, CCI-002165, CCI-002696, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), 4.2.3.4, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.2, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-004-6 R3.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, CIP-007-3 R6.5, AC-3, AC-3(3)(a), AU-9, SC-7(21), DE.AE-1, ID.AM-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.DS-5, PR.PT-1, PR.PT-3, PR.PT-4, SRG-OS-000445-GPOS-00199, SRG-OS-000445-VMM-001780, RHEL-08-010450, 1.6.1.3, SV-230282r627750_rule

Description
The SELinux targeted policy is appropriate for general-purpose desktops and servers, as well as systems in many other roles. To configure the system to use this policy, add or correct the following line in /etc/selinux/config:
SELINUXTYPE=targeted
Other policies, such as mls, provide additional security labeling and greater confinement but are not compatible with many general-purpose use cases.
Rationale
Setting the SELinux policy to targeted or a more specialized policy ensures the system will confine processes that are likely to be targeted for exploitation, such as network or system services.

Note: During the development or debugging of SELinux modules, it is common to temporarily place non-production systems in permissive mode. In such temporary cases, SELinux policies should be developed, and once work is completed, the system should be reconfigured to targeted.
OVAL test results details

Tests the value of the ^[\s]*SELINUXTYPE[\s]*=[\s]*([^#]*) expression in the /etc/selinux/config file  oval:ssg-test_selinux_policy:tst:1  true

Following items have been found on the system:
PathContent
/etc/selinux/configSELINUXTYPE=targeted
Ensure SELinux State is Enforcingxccdf_org.ssgproject.content_rule_selinux_state mediumCCE-80869-1

Ensure SELinux State is Enforcing

Rule IDxccdf_org.ssgproject.content_rule_selinux_state
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-selinux_state:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80869-1

References:  BP28(R4), BP28(R66), 1, 11, 12, 13, 14, 15, 16, 18, 3, 4, 5, 6, 8, 9, APO01.06, APO11.04, APO13.01, BAI03.05, DSS01.05, DSS03.01, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, MEA02.01, 3.1.2, 3.7.2, CCI-001084, CCI-002165, CCI-002696, 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.310(b), 164.310(c), 164.312(a), 164.312(e), 4.2.3.4, 4.3.3.2.2, 4.3.3.3.9, 4.3.3.4, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4, 4.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.10, SR 2.11, SR 2.12, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 2.8, SR 2.9, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.1, A.12.1.2, A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4, A.12.7.1, A.13.1.1, A.13.1.2, A.13.1.3, A.13.2.1, A.13.2.2, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.2, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-004-6 R3.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, CIP-007-3 R6.5, AC-3, AC-3(3)(a), AU-9, SC-7(21), DE.AE-1, ID.AM-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.DS-5, PR.PT-1, PR.PT-3, PR.PT-4, SRG-OS-000445-GPOS-00199, SRG-OS-000134-GPOS-00068, SRG-OS-000445-VMM-001780, RHEL-08-010170, 1.7.1.4, SV-230240r627750_rule

Description
The SELinux state should be set to enforcing at system boot time. In the file /etc/selinux/config, add or correct the following line to configure the system to boot into enforcing mode:
SELINUX=enforcing
Rationale
Setting the SELinux state to enforcing ensures SELinux is able to confine potentially compromised processes to the security policy, which is designed to prevent them from causing damage to the system or further elevating their privileges.
OVAL test results details

/selinux/enforce is 1  oval:ssg-test_etc_selinux_config:tst:1  true

Following items have been found on the system:
PathContent
/etc/selinux/configSELINUX=enforcing
Ensure that /etc/at.deny does not existxccdf_org.ssgproject.content_rule_file_at_deny_not_exist mediumCCE-86945-3

Ensure that /etc/at.deny does not exist

Rule IDxccdf_org.ssgproject.content_rule_file_at_deny_not_exist
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_at_deny_not_exist:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-86945-3

References:  5.1.9

Description
The file /etc/at.deny should not exist. Use /etc/at.allow instead.
Rationale
Access to at should be restricted. It is easier to manage an allow list than a deny list.
OVAL test results details

Test that that /etc/at.deny does not exist  oval:ssg-test_file_at_deny_not_exist:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_at_deny_not_exist:obj:1 of type file_object
Filepath
/etc/at.deny
Ensure that /etc/cron.deny does not existxccdf_org.ssgproject.content_rule_file_cron_deny_not_exist mediumCCE-86849-7

Ensure that /etc/cron.deny does not exist

Rule IDxccdf_org.ssgproject.content_rule_file_cron_deny_not_exist
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_cron_deny_not_exist:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-86849-7

References:  5.1.8

Description
The file /etc/cron.deny should not exist. Use /etc/cron.allow instead.
Rationale
Access to cron should be restricted. It is easier to manage an allow list than a deny list.
OVAL test results details

Test that that /etc/cron.deny does not exist  oval:ssg-test_file_cron_deny_not_exist:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_cron_deny_not_exist:obj:1 of type file_object
Filepath
/etc/cron.deny
Verify Group Who Owns /etc/at.allow filexccdf_org.ssgproject.content_rule_file_groupowner_at_allow mediumCCE-87102-0

Verify Group Who Owns /etc/at.allow file

Rule IDxccdf_org.ssgproject.content_rule_file_groupowner_at_allow
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_groupowner_at_allow:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-87102-0

References:  5.1.9

Description
If /etc/at.allow exists, it must be group-owned by root. To properly set the group owner of /etc/at.allow, run the command:
$ sudo chgrp root /etc/at.allow
Rationale
If the owner of the at.allow file is not set to root, the possibility exists for an unauthorized user to view or edit sensitive information.
OVAL test results details

Testing group ownership of /etc/at.allow  oval:ssg-test_file_groupowner_at_allow_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_at_allow_0:obj:1 of type file_object
FilepathFilterFilter
/etc/at.allowoval:ssg-symlink_file_groupowner_at_allow_uid_0:ste:1oval:ssg-state_file_groupowner_at_allow_gid_0_0:ste:1
Verify Group Who Owns /etc/cron.allow filexccdf_org.ssgproject.content_rule_file_groupowner_cron_allow mediumCCE-86829-9

Verify Group Who Owns /etc/cron.allow file

Rule IDxccdf_org.ssgproject.content_rule_file_groupowner_cron_allow
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_groupowner_cron_allow:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-86829-9

References:  12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-000366, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.1.8

Description
If /etc/cron.allow exists, it must be group-owned by root. To properly set the group owner of /etc/cron.allow, run the command:
$ sudo chgrp root /etc/cron.allow
Rationale
If the owner of the cron.allow file is not set to root, the possibility exists for an unauthorized user to view or edit sensitive information.
OVAL test results details

Testing group ownership of /etc/cron.allow  oval:ssg-test_file_groupowner_cron_allow_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_cron_allow_0:obj:1 of type file_object
FilepathFilterFilter
/etc/cron.allowoval:ssg-symlink_file_groupowner_cron_allow_uid_0:ste:1oval:ssg-state_file_groupowner_cron_allow_gid_0_0:ste:1
Verify User Who Owns /etc/cron.allow filexccdf_org.ssgproject.content_rule_file_owner_cron_allow mediumCCE-86843-0

Verify User Who Owns /etc/cron.allow file

Rule IDxccdf_org.ssgproject.content_rule_file_owner_cron_allow
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_owner_cron_allow:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-86843-0

References:  12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, CCI-000366, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.1.8

Description
If /etc/cron.allow exists, it must be owned by root. To properly set the owner of /etc/cron.allow, run the command:
$ sudo chown root /etc/cron.allow 
Rationale
If the owner of the cron.allow file is not set to root, the possibility exists for an unauthorized user to view or edit sensitive information.
OVAL test results details

Testing user ownership of /etc/cron.allow  oval:ssg-test_file_owner_cron_allow_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_cron_allow_0:obj:1 of type file_object
FilepathFilterFilter
/etc/cron.allowoval:ssg-symlink_file_owner_cron_allow_uid_0:ste:1oval:ssg-state_file_owner_cron_allow_uid_0_0:ste:1
Verify Permissions on /etc/at.allow filexccdf_org.ssgproject.content_rule_file_permissions_at_allow mediumCCE-86903-2

Verify Permissions on /etc/at.allow file

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_at_allow
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_permissions_at_allow:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-86903-2

References:  5.1.9

Description
If /etc/at.allow exists, it must have permissions 0600 or more restrictive. To properly set the permissions of /etc/at.allow, run the command:
$ sudo chmod 0600 /etc/at.allow
Rationale
If the permissions of the at.allow file are not set to 0600 or more restrictive, the possibility exists for an unauthorized user to view or edit sensitive information.
OVAL test results details

Testing mode of /etc/at.allow  oval:ssg-test_file_permissions_at_allow_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_at_allow_0:obj:1 of type file_object
FilepathFilterFilter
/etc/at.allowoval:ssg-exclude_symlinks__at_allow:ste:1oval:ssg-state_file_permissions_at_allow_0_mode_0600or_stricter_:ste:1
Verify Permissions on /etc/cron.allow filexccdf_org.ssgproject.content_rule_file_permissions_cron_allow mediumCCE-86876-0

Verify Permissions on /etc/cron.allow file

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_cron_allow
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_permissions_cron_allow:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-86876-0

References:  SRG-OS-000480-GPOS-00227, 5.1.8

Description
If /etc/cron.allow exists, it must have permissions 0600 or more restrictive. To properly set the permissions of /etc/cron.allow, run the command:
$ sudo chmod 0600 /etc/cron.allow
Rationale
If the permissions of the cron.allow file are not set to 0600 or more restrictive, the possibility exists for an unauthorized user to view or edit sensitive information.
OVAL test results details

Testing mode of /etc/cron.allow  oval:ssg-test_file_permissions_cron_allow_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_cron_allow_0:obj:1 of type file_object
FilepathFilterFilter
/etc/cron.allowoval:ssg-exclude_symlinks__cron_allow:ste:1oval:ssg-state_file_permissions_cron_allow_0_mode_0600or_stricter_:ste:1
Enable cron Servicexccdf_org.ssgproject.content_rule_service_crond_enabled mediumCCE-80875-8

Enable cron Service

Rule IDxccdf_org.ssgproject.content_rule_service_crond_enabled
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-service_crond_enabled:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80875-8

References:  11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-6(a), PR.IP-1, PR.PT-3, 5.1.1

Description
The crond service is used to execute commands at preconfigured times. It is required by almost all systems to perform necessary maintenance tasks, such as notifying root of system activity. The crond service can be enabled with the following command:
$ sudo systemctl enable crond.service
Rationale
Due to its usage for maintenance and security-supporting tasks, enabling the cron daemon is essential.
OVAL test results details

package cronie is installed  oval:ssg-test_service_crond_package_cronie_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
croniex86_64(none)4.el81.5.20:1.5.2-4.el8199e2f91fd431d51cronie-0:1.5.2-4.el8.x86_64

Test that the crond service is running  oval:ssg-test_service_running_crond:tst:1  true

Following items have been found on the system:
UnitPropertyValue
crond.serviceActiveStateactive

systemd test  oval:ssg-test_multi_user_wants_crond:tst:1  true

Following items have been found on the system:
UnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
multi-user.targetbasic.targetvar.mount-.mountsysinit.targetdev-hugepages.mountsystemd-ask-password-console.pathsys-kernel-debug.mountrngd.serviceiscsi-onboot.servicesystemd-udevd.servicelvm2-lvmpolld.socketsystemd-modules-load.servicecryptsetup.targetselinux-autorelabel-mark.servicesystemd-update-done.servicedracut-shutdown.servicesystemd-journal-catalog-update.servicemultipathd.servicesystemd-hwdb-update.servicesystemd-sysctl.servicedev-mqueue.mountimport-state.servicesystemd-update-utmp.servicenis-domainname.serviceswap.targetlvm2-monitor.servicesystemd-journald.servicesystemd-tmpfiles-setup.servicesystemd-tmpfiles-setup-dev.serviceproc-sys-fs-binfmt_misc.automountloadmodules.servicesystemd-binfmt.servicekmod-static-nodes.servicesystemd-journal-flush.servicesystemd-machine-id-commit.servicesys-fs-fuse-connections.mountsys-kernel-config.mountldconfig.servicesystemd-udev-trigger.servicesystemd-firstboot.servicelocal-fs.targetboot.mountusr.mounthome.mounttmp.mountboot-efi.mountmnt.mountsystemd-remount-fs.servicesystemd-random-seed.servicesystemd-sysusers.servicetimers.targetunbound-anchor.timerdnf-makecache.timersystemd-tmpfiles-clean.timermlocate-updatedb.timersockets.targetsystemd-journald.socketdbus.socketiscsiuio.socketsssd-kcm.socketdm-event.socketsystemd-journald-dev-log.socketmultipathd.socketiscsid.socketsystemd-udevd-control.socketsystemd-udevd-kernel.socketsystemd-initctl.socketsystemd-coredump.socketpaths.targetslices.target-.slicesystem.slicesmartd.serviceNetworkManager.servicenftables.servicewaagent.servicelibstoragemgmt.servicevdo.servicetuned.servicerhsmcertd.servicedbus.servicesystemd-update-utmp-runlevel.servicechronyd.servicefirewalld.servicekdump.serviceremote-fs.targetiscsi.servicesshd.servicecrond.servicesystemd-ask-password-wall.pathgetty.targetgetty@tty1.serviceserial-getty@ttyS0.servicemdmonitor.servicesystemd-user-sessions.servicesystemd-logind.serviceauditd.servicesystemd-resolved.servicecloud-init.targetcloud-init-local.servicecloud-init.servicecloud-config.servicecloud-final.servicemcelog.servicesssd.servicersyslog.serviceatd.serviceirqbalance.service

systemd test  oval:ssg-test_multi_user_wants_crond_socket:tst:1  false

Following items have been found on the system:
UnitDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependencyDependency
multi-user.targetbasic.targetvar.mount-.mountsysinit.targetdev-hugepages.mountsystemd-ask-password-console.pathsys-kernel-debug.mountrngd.serviceiscsi-onboot.servicesystemd-udevd.servicelvm2-lvmpolld.socketsystemd-modules-load.servicecryptsetup.targetselinux-autorelabel-mark.servicesystemd-update-done.servicedracut-shutdown.servicesystemd-journal-catalog-update.servicemultipathd.servicesystemd-hwdb-update.servicesystemd-sysctl.servicedev-mqueue.mountimport-state.servicesystemd-update-utmp.servicenis-domainname.serviceswap.targetlvm2-monitor.servicesystemd-journald.servicesystemd-tmpfiles-setup.servicesystemd-tmpfiles-setup-dev.serviceproc-sys-fs-binfmt_misc.automountloadmodules.servicesystemd-binfmt.servicekmod-static-nodes.servicesystemd-journal-flush.servicesystemd-machine-id-commit.servicesys-fs-fuse-connections.mountsys-kernel-config.mountldconfig.servicesystemd-udev-trigger.servicesystemd-firstboot.servicelocal-fs.targetboot.mountusr.mounthome.mounttmp.mountboot-efi.mountmnt.mountsystemd-remount-fs.servicesystemd-random-seed.servicesystemd-sysusers.servicetimers.targetunbound-anchor.timerdnf-makecache.timersystemd-tmpfiles-clean.timermlocate-updatedb.timersockets.targetsystemd-journald.socketdbus.socketiscsiuio.socketsssd-kcm.socketdm-event.socketsystemd-journald-dev-log.socketmultipathd.socketiscsid.socketsystemd-udevd-control.socketsystemd-udevd-kernel.socketsystemd-initctl.socketsystemd-coredump.socketpaths.targetslices.target-.slicesystem.slicesmartd.serviceNetworkManager.servicenftables.servicewaagent.servicelibstoragemgmt.servicevdo.servicetuned.servicerhsmcertd.servicedbus.servicesystemd-update-utmp-runlevel.servicechronyd.servicefirewalld.servicekdump.serviceremote-fs.targetiscsi.servicesshd.servicecrond.servicesystemd-ask-password-wall.pathgetty.targetgetty@tty1.serviceserial-getty@ttyS0.servicemdmonitor.servicesystemd-user-sessions.servicesystemd-logind.serviceauditd.servicesystemd-resolved.servicecloud-init.targetcloud-init-local.servicecloud-init.servicecloud-config.servicecloud-final.servicemcelog.servicesssd.servicersyslog.serviceatd.serviceirqbalance.service
Verify Group Who Owns cron.dxccdf_org.ssgproject.content_rule_file_groupowner_cron_d mediumCCE-82268-4

Verify Group Who Owns cron.d

Rule IDxccdf_org.ssgproject.content_rule_file_groupowner_cron_d
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_groupowner_cron_d:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82268-4

References:  12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.1.7

Description
To properly set the group owner of /etc/cron.d, run the command:
$ sudo chgrp root /etc/cron.d
Rationale
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.
OVAL test results details

Testing group ownership of /etc/cron.d/  oval:ssg-test_file_groupowner_cron_d_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_cron_d_0:obj:1 of type file_object
PathFilenameFilterFilter
/etc/cron.dno valueoval:ssg-symlink_file_groupowner_cron_d_uid_0:ste:1oval:ssg-state_file_groupowner_cron_d_gid_0_0:ste:1
Verify Group Who Owns cron.dailyxccdf_org.ssgproject.content_rule_file_groupowner_cron_daily mediumCCE-82234-6

Verify Group Who Owns cron.daily

Rule IDxccdf_org.ssgproject.content_rule_file_groupowner_cron_daily
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_groupowner_cron_daily:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82234-6

References:  12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.1.4

Description
To properly set the group owner of /etc/cron.daily, run the command:
$ sudo chgrp root /etc/cron.daily
Rationale
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.
OVAL test results details

Testing group ownership of /etc/cron.daily/  oval:ssg-test_file_groupowner_cron_daily_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_cron_daily_0:obj:1 of type file_object
PathFilenameFilterFilter
/etc/cron.dailyno valueoval:ssg-symlink_file_groupowner_cron_daily_uid_0:ste:1oval:ssg-state_file_groupowner_cron_daily_gid_0_0:ste:1
Verify Group Who Owns cron.hourlyxccdf_org.ssgproject.content_rule_file_groupowner_cron_hourly mediumCCE-82227-0

Verify Group Who Owns cron.hourly

Rule IDxccdf_org.ssgproject.content_rule_file_groupowner_cron_hourly
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_groupowner_cron_hourly:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82227-0

References:  12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.1.3

Description
To properly set the group owner of /etc/cron.hourly, run the command:
$ sudo chgrp root /etc/cron.hourly
Rationale
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.
OVAL test results details

Testing group ownership of /etc/cron.hourly/  oval:ssg-test_file_groupowner_cron_hourly_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_cron_hourly_0:obj:1 of type file_object
PathFilenameFilterFilter
/etc/cron.hourlyno valueoval:ssg-symlink_file_groupowner_cron_hourly_uid_0:ste:1oval:ssg-state_file_groupowner_cron_hourly_gid_0_0:ste:1
Verify Group Who Owns cron.monthlyxccdf_org.ssgproject.content_rule_file_groupowner_cron_monthly mediumCCE-82256-9

Verify Group Who Owns cron.monthly

Rule IDxccdf_org.ssgproject.content_rule_file_groupowner_cron_monthly
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_groupowner_cron_monthly:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82256-9

References:  12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.1.6

Description
To properly set the group owner of /etc/cron.monthly, run the command:
$ sudo chgrp root /etc/cron.monthly
Rationale
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.
OVAL test results details

Testing group ownership of /etc/cron.monthly/  oval:ssg-test_file_groupowner_cron_monthly_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_cron_monthly_0:obj:1 of type file_object
PathFilenameFilterFilter
/etc/cron.monthlyno valueoval:ssg-symlink_file_groupowner_cron_monthly_uid_0:ste:1oval:ssg-state_file_groupowner_cron_monthly_gid_0_0:ste:1
Verify Group Who Owns cron.weeklyxccdf_org.ssgproject.content_rule_file_groupowner_cron_weekly mediumCCE-82244-5

Verify Group Who Owns cron.weekly

Rule IDxccdf_org.ssgproject.content_rule_file_groupowner_cron_weekly
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_groupowner_cron_weekly:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82244-5

References:  12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.1.5

Description
To properly set the group owner of /etc/cron.weekly, run the command:
$ sudo chgrp root /etc/cron.weekly
Rationale
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.
OVAL test results details

Testing group ownership of /etc/cron.weekly/  oval:ssg-test_file_groupowner_cron_weekly_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_cron_weekly_0:obj:1 of type file_object
PathFilenameFilterFilter
/etc/cron.weeklyno valueoval:ssg-symlink_file_groupowner_cron_weekly_uid_0:ste:1oval:ssg-state_file_groupowner_cron_weekly_gid_0_0:ste:1
Verify Group Who Owns Crontabxccdf_org.ssgproject.content_rule_file_groupowner_crontab mediumCCE-82223-9

Verify Group Who Owns Crontab

Rule IDxccdf_org.ssgproject.content_rule_file_groupowner_crontab
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_groupowner_crontab:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82223-9

References:  12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.1.2

Description
To properly set the group owner of /etc/crontab, run the command:
$ sudo chgrp root /etc/crontab
Rationale
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.
OVAL test results details

Testing group ownership of /etc/crontab  oval:ssg-test_file_groupowner_crontab_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_crontab_0:obj:1 of type file_object
FilepathFilterFilter
/etc/crontaboval:ssg-symlink_file_groupowner_crontab_uid_0:ste:1oval:ssg-state_file_groupowner_crontab_gid_0_0:ste:1
Verify Owner on cron.dxccdf_org.ssgproject.content_rule_file_owner_cron_d mediumCCE-82272-6

Verify Owner on cron.d

Rule IDxccdf_org.ssgproject.content_rule_file_owner_cron_d
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_owner_cron_d:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82272-6

References:  12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.1.7

Description
To properly set the owner of /etc/cron.d, run the command:
$ sudo chown root /etc/cron.d 
Rationale
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct user to prevent unauthorized changes.
OVAL test results details

Testing user ownership of /etc/cron.d/  oval:ssg-test_file_owner_cron_d_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_cron_d_0:obj:1 of type file_object
PathFilenameFilterFilter
/etc/cron.dno valueoval:ssg-symlink_file_owner_cron_d_uid_0:ste:1oval:ssg-state_file_owner_cron_d_uid_0_0:ste:1
Verify Owner on cron.dailyxccdf_org.ssgproject.content_rule_file_owner_cron_daily mediumCCE-82237-9

Verify Owner on cron.daily

Rule IDxccdf_org.ssgproject.content_rule_file_owner_cron_daily
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_owner_cron_daily:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82237-9

References:  12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.1.4

Description
To properly set the owner of /etc/cron.daily, run the command:
$ sudo chown root /etc/cron.daily 
Rationale
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct user to prevent unauthorized changes.
OVAL test results details

Testing user ownership of /etc/cron.daily/  oval:ssg-test_file_owner_cron_daily_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_cron_daily_0:obj:1 of type file_object
PathFilenameFilterFilter
/etc/cron.dailyno valueoval:ssg-symlink_file_owner_cron_daily_uid_0:ste:1oval:ssg-state_file_owner_cron_daily_uid_0_0:ste:1
Verify Owner on cron.hourlyxccdf_org.ssgproject.content_rule_file_owner_cron_hourly mediumCCE-82209-8

Verify Owner on cron.hourly

Rule IDxccdf_org.ssgproject.content_rule_file_owner_cron_hourly
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_owner_cron_hourly:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82209-8

References:  12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.1.3

Description
To properly set the owner of /etc/cron.hourly, run the command:
$ sudo chown root /etc/cron.hourly 
Rationale
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct user to prevent unauthorized changes.
OVAL test results details

Testing user ownership of /etc/cron.hourly/  oval:ssg-test_file_owner_cron_hourly_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_cron_hourly_0:obj:1 of type file_object
PathFilenameFilterFilter
/etc/cron.hourlyno valueoval:ssg-symlink_file_owner_cron_hourly_uid_0:ste:1oval:ssg-state_file_owner_cron_hourly_uid_0_0:ste:1
Verify Owner on cron.monthlyxccdf_org.ssgproject.content_rule_file_owner_cron_monthly mediumCCE-82260-1

Verify Owner on cron.monthly

Rule IDxccdf_org.ssgproject.content_rule_file_owner_cron_monthly
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_owner_cron_monthly:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82260-1

References:  12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.1.6

Description
To properly set the owner of /etc/cron.monthly, run the command:
$ sudo chown root /etc/cron.monthly 
Rationale
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct user to prevent unauthorized changes.
OVAL test results details

Testing user ownership of /etc/cron.monthly/  oval:ssg-test_file_owner_cron_monthly_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_cron_monthly_0:obj:1 of type file_object
PathFilenameFilterFilter
/etc/cron.monthlyno valueoval:ssg-symlink_file_owner_cron_monthly_uid_0:ste:1oval:ssg-state_file_owner_cron_monthly_uid_0_0:ste:1
Verify Owner on cron.weeklyxccdf_org.ssgproject.content_rule_file_owner_cron_weekly mediumCCE-82247-8

Verify Owner on cron.weekly

Rule IDxccdf_org.ssgproject.content_rule_file_owner_cron_weekly
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_owner_cron_weekly:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82247-8

References:  12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.1.5

Description
To properly set the owner of /etc/cron.weekly, run the command:
$ sudo chown root /etc/cron.weekly 
Rationale
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct user to prevent unauthorized changes.
OVAL test results details

Testing user ownership of /etc/cron.weekly/  oval:ssg-test_file_owner_cron_weekly_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_cron_weekly_0:obj:1 of type file_object
PathFilenameFilterFilter
/etc/cron.weeklyno valueoval:ssg-symlink_file_owner_cron_weekly_uid_0:ste:1oval:ssg-state_file_owner_cron_weekly_uid_0_0:ste:1
Verify Owner on crontabxccdf_org.ssgproject.content_rule_file_owner_crontab mediumCCE-82224-7

Verify Owner on crontab

Rule IDxccdf_org.ssgproject.content_rule_file_owner_crontab
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_owner_crontab:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82224-7

References:  12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.1.2

Description
To properly set the owner of /etc/crontab, run the command:
$ sudo chown root /etc/crontab 
Rationale
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct user to prevent unauthorized changes.
OVAL test results details

Testing user ownership of /etc/crontab  oval:ssg-test_file_owner_crontab_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_crontab_0:obj:1 of type file_object
FilepathFilterFilter
/etc/crontaboval:ssg-symlink_file_owner_crontab_uid_0:ste:1oval:ssg-state_file_owner_crontab_uid_0_0:ste:1
Verify Permissions on cron.dxccdf_org.ssgproject.content_rule_file_permissions_cron_d mediumCCE-82277-5

Verify Permissions on cron.d

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_cron_d
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_permissions_cron_d:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82277-5

References:  12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.1.7

Description
To properly set the permissions of /etc/cron.d, run the command:
$ sudo chmod 0700 /etc/cron.d
Rationale
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the correct access rights to prevent unauthorized changes.
OVAL test results details

Testing mode of /etc/cron.d/  oval:ssg-test_file_permissions_cron_d_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_cron_d_0:obj:1 of type file_object
PathFilenameFilterFilter
/etc/cron.dno valueoval:ssg-exclude_symlinks__cron_d:ste:1oval:ssg-state_file_permissions_cron_d_0_mode_0700or_stricter_:ste:1
Verify Permissions on cron.dailyxccdf_org.ssgproject.content_rule_file_permissions_cron_daily mediumCCE-82240-3

Verify Permissions on cron.daily

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_cron_daily
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_permissions_cron_daily:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82240-3

References:  12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.1.4

Description
To properly set the permissions of /etc/cron.daily, run the command:
$ sudo chmod 0700 /etc/cron.daily
Rationale
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the correct access rights to prevent unauthorized changes.
OVAL test results details

Testing mode of /etc/cron.daily/  oval:ssg-test_file_permissions_cron_daily_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_cron_daily_0:obj:1 of type file_object
PathFilenameFilterFilter
/etc/cron.dailyno valueoval:ssg-exclude_symlinks__cron_daily:ste:1oval:ssg-state_file_permissions_cron_daily_0_mode_0700or_stricter_:ste:1
Verify Permissions on cron.hourlyxccdf_org.ssgproject.content_rule_file_permissions_cron_hourly mediumCCE-82230-4

Verify Permissions on cron.hourly

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_cron_hourly
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_permissions_cron_hourly:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82230-4

References:  12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.1.3

Description
To properly set the permissions of /etc/cron.hourly, run the command:
$ sudo chmod 0700 /etc/cron.hourly
Rationale
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the correct access rights to prevent unauthorized changes.
OVAL test results details

Testing mode of /etc/cron.hourly/  oval:ssg-test_file_permissions_cron_hourly_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_cron_hourly_0:obj:1 of type file_object
PathFilenameFilterFilter
/etc/cron.hourlyno valueoval:ssg-exclude_symlinks__cron_hourly:ste:1oval:ssg-state_file_permissions_cron_hourly_0_mode_0700or_stricter_:ste:1
Verify Permissions on cron.monthlyxccdf_org.ssgproject.content_rule_file_permissions_cron_monthly mediumCCE-82263-5

Verify Permissions on cron.monthly

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_cron_monthly
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_permissions_cron_monthly:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82263-5

References:  12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.1.6

Description
To properly set the permissions of /etc/cron.monthly, run the command:
$ sudo chmod 0700 /etc/cron.monthly
Rationale
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the correct access rights to prevent unauthorized changes.
OVAL test results details

Testing mode of /etc/cron.monthly/  oval:ssg-test_file_permissions_cron_monthly_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_cron_monthly_0:obj:1 of type file_object
PathFilenameFilterFilter
/etc/cron.monthlyno valueoval:ssg-exclude_symlinks__cron_monthly:ste:1oval:ssg-state_file_permissions_cron_monthly_0_mode_0700or_stricter_:ste:1
Verify Permissions on cron.weeklyxccdf_org.ssgproject.content_rule_file_permissions_cron_weekly mediumCCE-82253-6

Verify Permissions on cron.weekly

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_cron_weekly
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_permissions_cron_weekly:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82253-6

References:  12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.1.5

Description
To properly set the permissions of /etc/cron.weekly, run the command:
$ sudo chmod 0700 /etc/cron.weekly
Rationale
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the correct access rights to prevent unauthorized changes.
OVAL test results details

Testing mode of /etc/cron.weekly/  oval:ssg-test_file_permissions_cron_weekly_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_cron_weekly_0:obj:1 of type file_object
PathFilenameFilterFilter
/etc/cron.weeklyno valueoval:ssg-exclude_symlinks__cron_weekly:ste:1oval:ssg-state_file_permissions_cron_weekly_0_mode_0700or_stricter_:ste:1
Verify Permissions on crontabxccdf_org.ssgproject.content_rule_file_permissions_crontab mediumCCE-82206-4

Verify Permissions on crontab

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_crontab
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_permissions_crontab:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82206-4

References:  12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.1.2

Description
To properly set the permissions of /etc/crontab, run the command:
$ sudo chmod 0600 /etc/crontab
Rationale
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the correct access rights to prevent unauthorized changes.
OVAL test results details

Testing mode of /etc/crontab  oval:ssg-test_file_permissions_crontab_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_crontab_0:obj:1 of type file_object
FilepathFilterFilter
/etc/crontaboval:ssg-exclude_symlinks__crontab:ste:1oval:ssg-state_file_permissions_crontab_0_mode_0600or_stricter_:ste:1
Uninstall vsftpd Packagexccdf_org.ssgproject.content_rule_package_vsftpd_removed highCCE-82414-4

Uninstall vsftpd Package

Rule IDxccdf_org.ssgproject.content_rule_package_vsftpd_removed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_vsftpd_removed:def:1
Time2022-11-07T15:05:53+00:00
Severityhigh
Identifiers and References

Identifiers:  CCE-82414-4

References:  11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, CCI-000197, CCI-000366, CCI-000381, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), IA-5(1)(c), IA-5(1).1(v), CM-7, CM-7.1(ii), PR.IP-1, PR.PT-3, SRG-OS-000074-GPOS-00042, SRG-OS-000095-GPOS-00049, SRG-OS-000480-GPOS-00227, RHEL-08-040360, 2.2.8, SV-230558r627750_rule

Description
The vsftpd package can be removed with the following command:
 $ sudo yum erase vsftpd
Rationale
Removing the vsftpd package decreases the risk of its accidental activation.
OVAL test results details

package vsftpd is removed  oval:ssg-test_package_vsftpd_removed:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_vsftpd_removed:obj:1 of type rpminfo_object
Name
vsftpd
Uninstall httpd Packagexccdf_org.ssgproject.content_rule_package_httpd_removed unknownCCE-85970-2

Uninstall httpd Package

Rule IDxccdf_org.ssgproject.content_rule_package_httpd_removed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_httpd_removed:def:1
Time2022-11-07T15:05:53+00:00
Severityunknown
Identifiers and References

Identifiers:  CCE-85970-2

References:  11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, 2.2.10

Description
The httpd package can be removed with the following command:
$ sudo yum erase httpd
Rationale
If there is no need to make the web server software available, removing it provides a safeguard against its activation.
OVAL test results details

package httpd is removed  oval:ssg-test_package_httpd_removed:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_httpd_removed:obj:1 of type rpminfo_object
Name
httpd
Uninstall dovecot Packagexccdf_org.ssgproject.content_rule_package_dovecot_removed unknownCCE-85976-9

Uninstall dovecot Package

Rule IDxccdf_org.ssgproject.content_rule_package_dovecot_removed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_dovecot_removed:def:1
Time2022-11-07T15:05:53+00:00
Severityunknown
Identifiers and References

Identifiers:  CCE-85976-9

References:  2.2.11

Description
The dovecot package can be removed with the following command:
$ sudo yum erase dovecot
Rationale
If there is no need to make the Dovecot software available, removing it provides a safeguard against its activation.
OVAL test results details

package dovecot is removed  oval:ssg-test_package_dovecot_removed:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_dovecot_removed:obj:1 of type rpminfo_object
Name
dovecot
Ensure LDAP client is not installedxccdf_org.ssgproject.content_rule_package_openldap-clients_removed lowCCE-82885-5

Ensure LDAP client is not installed

Rule IDxccdf_org.ssgproject.content_rule_package_openldap-clients_removed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_openldap-clients_removed:def:1
Time2022-11-07T15:05:53+00:00
Severitylow
Identifiers and References

Identifiers:  CCE-82885-5

References:  2.3.5

Description
The Lightweight Directory Access Protocol (LDAP) is a service that provides a method for looking up information from a central database. The openldap-clients package can be removed with the following command:
$ sudo yum erase openldap-clients
Rationale
If the system does not need to act as an LDAP client, it is recommended that the software is removed to reduce the potential attack surface.
OVAL test results details

package openldap-clients is removed  oval:ssg-test_package_openldap-clients_removed:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_openldap-clients_removed:obj:1 of type rpminfo_object
Name
openldap-clients
Disable Postfix Network Listeningxccdf_org.ssgproject.content_rule_postfix_network_listening_disabled mediumCCE-82174-4

Disable Postfix Network Listening

Rule IDxccdf_org.ssgproject.content_rule_postfix_network_listening_disabled
Result
notapplicable
Multi-check ruleno
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82174-4

References:  BP28(R48), 11, 14, 3, 9, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.05, DSS06.06, CCI-000382, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.IP-1, PR.PT-3, 2.2.17

Description
Edit the file /etc/postfix/main.cf to ensure that only the following inet_interfaces line appears:
inet_interfaces = loopback-only
Rationale
This ensures postfix accepts mail messages (such as cron job reports) from the local system only, and not from the network, which protects it from network attack.
Disable Network File System (nfs)xccdf_org.ssgproject.content_rule_service_nfs_disabled unknownCCE-82762-6

Disable Network File System (nfs)

Rule IDxccdf_org.ssgproject.content_rule_service_nfs_disabled
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-service_nfs_disabled:def:1
Time2022-11-07T15:05:53+00:00
Severityunknown
Identifiers and References

Identifiers:  CCE-82762-6

References:  11, 12, 14, 15, 16, 18, 3, 5, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.03, DSS06.06, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CM-7(a), CM-7(b), CM-6(a), PR.AC-4, PR.AC-6, PR.PT-3, 2.2.18

Description
The Network File System (NFS) service allows remote hosts to mount and interact with shared filesystems on the local system. If the local system is not designated as a NFS server then this service should be disabled. The nfs-server service can be disabled with the following command:
$ sudo systemctl mask --now nfs-server.service
Rationale
Unnecessary services should be disabled to decrease the attack surface of the system.
OVAL test results details

package nfs-utils is removed  oval:ssg-test_service_nfs-server_package_nfs-utils_removed:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_service_nfs-server_package_nfs-utils_removed:obj:1 of type rpminfo_object
Name
nfs-utils

Test that the nfs-server service is not running  oval:ssg-test_service_not_running_nfs-server:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_service_not_running_nfs-server:obj:1 of type systemdunitproperty_object
UnitProperty
^nfs-server\.(service|socket)$ActiveState

Test that the property LoadState from the service nfs-server is masked  oval:ssg-test_service_loadstate_is_masked_nfs-server:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_service_loadstate_is_masked_nfs-server:obj:1 of type systemdunitproperty_object
UnitProperty
^nfs-server\.(service|socket)$LoadState
Ensure that chronyd is running under chrony user accountxccdf_org.ssgproject.content_rule_chronyd_run_as_chrony_user mediumCCE-82879-8

Ensure that chronyd is running under chrony user account

Rule IDxccdf_org.ssgproject.content_rule_chronyd_run_as_chrony_user
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-chronyd_run_as_chrony_user:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82879-8

References:  2.1.2

Description
chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on chrony can be found at http://chrony.tuxfamily.org/. Chrony can be configured to be a client and/or a server. To ensure that chronyd is running under chrony user account, remove any -u ... option from OPTIONS other than -u chrony, as chrony is run under its own user by default. This recommendation only applies if chrony is in use on the system.
Rationale
If chrony is in use on the system proper configuration is vital to ensuring time synchronization is working properly.
OVAL test results details

The default chrony user hasn't been overriden  oval:ssg-test_no_user_override:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_user_override:obj:1 of type textfilecontent54_object
BehaviorsFilepathPatternInstance
no value/etc/sysconfig/chronyd^\s*OPTIONS=.*[\s'"]-u(?!\s*chrony\b).*0
A remote time server for Chrony is configuredxccdf_org.ssgproject.content_rule_chronyd_specify_remote_server mediumCCE-82873-1

A remote time server for Chrony is configured

Rule IDxccdf_org.ssgproject.content_rule_chronyd_specify_remote_server
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-chronyd_specify_remote_server:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82873-1

References:  BP28(R43), CCI-000160, CCI-001891, 0988, 1405, CM-6(a), AU-8(1)(a), Req-10.4.3, 2.1.2

Description
Chrony is a daemon which implements the Network Time Protocol (NTP). It is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. More information on chrony can be found at http://chrony.tuxfamily.org/. Chrony can be configured to be a client and/or a server. Add or edit server or pool lines to /etc/chrony.conf as appropriate:
server <remote-server>
Multiple servers may be configured.
Rationale
If chrony is in use on the system proper configuration is vital to ensuring time synchronization is working properly.
OVAL test results details

Ensure at least one NTP server is set  oval:ssg-test_chronyd_remote_server:tst:1  true

Following items have been found on the system:
PathContent
/etc/chrony.confpool 2.rhel.pool.ntp.org iburst
Uninstall xinetd Packagexccdf_org.ssgproject.content_rule_package_xinetd_removed lowCCE-80850-1

Uninstall xinetd Package

Rule IDxccdf_org.ssgproject.content_rule_package_xinetd_removed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_xinetd_removed:def:1
Time2022-11-07T15:05:53+00:00
Severitylow
Identifiers and References

Identifiers:  CCE-80850-1

References:  BP28(R1), 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, CCI-000305, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, 2.1.1

Description
The xinetd package can be removed with the following command:
$ sudo yum erase xinetd
Rationale
Removing the xinetd package decreases the risk of the xinetd service's accidental (or intentional) activation.
OVAL test results details

package xinetd is removed  oval:ssg-test_package_xinetd_removed:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_xinetd_removed:obj:1 of type rpminfo_object
Name
xinetd
Remove NIS Clientxccdf_org.ssgproject.content_rule_package_ypbind_removed unknownCCE-82181-9

Remove NIS Client

Rule IDxccdf_org.ssgproject.content_rule_package_ypbind_removed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_ypbind_removed:def:1
Time2022-11-07T15:05:53+00:00
Severityunknown
Identifiers and References

Identifiers:  CCE-82181-9

References:  BP28(R1), 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 2.3.1

Description
The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files. The NIS client (ypbind) was used to bind a system to an NIS server and receive the distributed configuration files.
Rationale
The NIS service is inherently an insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS generally has been replaced by such protocols as Lightweight Directory Access Protocol (LDAP). It is recommended that the service be removed.
OVAL test results details

package ypbind is removed  oval:ssg-test_package_ypbind_removed:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_ypbind_removed:obj:1 of type rpminfo_object
Name
ypbind
Uninstall ypserv Packagexccdf_org.ssgproject.content_rule_package_ypserv_removed highCCE-82432-6

Uninstall ypserv Package

Rule IDxccdf_org.ssgproject.content_rule_package_ypserv_removed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_ypserv_removed:def:1
Time2022-11-07T15:05:53+00:00
Severityhigh
Identifiers and References

Identifiers:  CCE-82432-6

References:  BP28(R1), 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, CCI-000381, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), IA-5(1)(c), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000095-GPOS-00049, 2.2.15

Description
The ypserv package can be removed with the following command:
$ sudo yum erase ypserv
Rationale
The NIS service provides an unencrypted authentication service which does not provide for the confidentiality and integrity of user passwords or the remote session. Removing the ypserv package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services.
OVAL test results details

package ypserv is removed  oval:ssg-test_package_ypserv_removed:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_ypserv_removed:obj:1 of type rpminfo_object
Name
ypserv
Uninstall rsh Packagexccdf_org.ssgproject.content_rule_package_rsh_removed unknownCCE-82183-5

Uninstall rsh Package

Rule IDxccdf_org.ssgproject.content_rule_package_rsh_removed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_rsh_removed:def:1
Time2022-11-07T15:05:53+00:00
Severityunknown
Identifiers and References

Identifiers:  CCE-82183-5

References:  BP28(R1), 3.1.13, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), A.8.2.3, A.13.1.1, A.13.2.1, A.13.2.3, A.14.1.2, A.14.1.3, 2.3.2

Description
The rsh package contains the client commands for the rsh services
Rationale
These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Even if the server is removed, it is best to ensure the clients are also removed to prevent users from inadvertently attempting to use these commands and therefore exposing their credentials. Note that removing the rsh package removes the clients for rsh,rcp, and rlogin.
OVAL test results details

package rsh is removed  oval:ssg-test_package_rsh_removed:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_rsh_removed:obj:1 of type rpminfo_object
Name
rsh
Remove Rsh Trust Filesxccdf_org.ssgproject.content_rule_no_rsh_trust_files highCCE-80842-8

Remove Rsh Trust Files

Rule IDxccdf_org.ssgproject.content_rule_no_rsh_trust_files
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-no_rsh_trust_files:def:1
Time2022-11-07T15:05:53+00:00
Severityhigh
Identifiers and References

Identifiers:  CCE-80842-8

References:  11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, CCI-001436, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, 6.2.16

Description
The files /etc/hosts.equiv and ~/.rhosts (in each user's home directory) list remote hosts and users that are trusted by the local system when using the rshd daemon. To remove these files, run the following command to delete them from any location:
$ sudo rm /etc/hosts.equiv
$ rm ~/.rhosts
Rationale
This action is only meaningful if .rhosts support is permitted through PAM. Trust files are convenient, but when used in conjunction with the R-services, they can allow unauthenticated access to a system.
OVAL test results details

look for .rhosts in /root  oval:ssg-test_no_rsh_trust_files_root:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_no_rsh_trust_files_root:obj:1 of type file_object
PathFilename
/root^\.rhosts$

look for .rhosts in /home  oval:ssg-test_no_rsh_trust_files_home:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_no_rsh_trust_files_home:obj:1 of type file_object
BehaviorsPathFilename
no value/home^\.rhosts$

look for /etc/hosts.equiv  oval:ssg-test_no_rsh_trust_files_etc:tst:1  false

No items have been found conforming to the following objects:
Object oval:ssg-object_no_rsh_trust_files_etc:obj:1 of type file_object
PathFilename
/etc^hosts\.equiv$
Uninstall talk Packagexccdf_org.ssgproject.content_rule_package_talk_removed mediumCCE-80848-5

Uninstall talk Package

Rule IDxccdf_org.ssgproject.content_rule_package_talk_removed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_talk_removed:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80848-5

References:  BP28(R1), 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 2.3.3

Description
The talk package contains the client program for the Internet talk protocol, which allows the user to chat with other users on different systems. Talk is a communication program which copies lines from one terminal to the terminal of another user. The talk package can be removed with the following command:
$ sudo yum erase talk
Rationale
The talk software presents a security risk as it uses unencrypted protocols for communications. Removing the talk package decreases the risk of the accidental (or intentional) activation of talk client program.
OVAL test results details

package talk is removed  oval:ssg-test_package_talk_removed:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_talk_removed:obj:1 of type rpminfo_object
Name
talk
Uninstall telnet-server Packagexccdf_org.ssgproject.content_rule_package_telnet-server_removed highCCE-82182-7

Uninstall telnet-server Package

Rule IDxccdf_org.ssgproject.content_rule_package_telnet-server_removed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_telnet-server_removed:def:1
Time2022-11-07T15:05:53+00:00
Severityhigh
Identifiers and References

Identifiers:  CCE-82182-7

References:  BP28(R1), 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, CCI-000381, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000095-GPOS-00049, RHEL-08-040000, 2.2.16, SV-230487r627750_rule

Description
The telnet-server package can be removed with the following command:
$ sudo yum erase telnet-server
Rationale
It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities are often overlooked and therefore may remain unsecure. They increase the risk to the platform by providing additional attack vectors.
The telnet service provides an unencrypted remote access service which does not provide for the confidentiality and integrity of user passwords or the remote session. If a privileged user were to login using this service, the privileged user password could be compromised.
Removing the telnet-server package decreases the risk of the telnet service's accidental (or intentional) activation.
OVAL test results details

package telnet-server is removed  oval:ssg-test_package_telnet-server_removed:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_telnet-server_removed:obj:1 of type rpminfo_object
Name
telnet-server
Remove telnet Clientsxccdf_org.ssgproject.content_rule_package_telnet_removed lowCCE-80849-3

Remove telnet Clients

Rule IDxccdf_org.ssgproject.content_rule_package_telnet_removed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_telnet_removed:def:1
Time2022-11-07T15:05:53+00:00
Severitylow
Identifiers and References

Identifiers:  CCE-80849-3

References:  BP28(R1), 3.1.13, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), A.8.2.3, A.13.1.1, A.13.2.1, A.13.2.3, A.14.1.2, A.14.1.3, 2.3.4

Description
The telnet client allows users to start connections to other systems via the telnet protocol.
Rationale
The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an unauthorized user to steal credentials. The ssh package provides an encrypted session and stronger security and is included in Red Hat Enterprise Linux 8.
OVAL test results details

package telnet is removed  oval:ssg-test_package_telnet_removed:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_telnet_removed:obj:1 of type rpminfo_object
Name
telnet
Uninstall tftp-server Packagexccdf_org.ssgproject.content_rule_package_tftp-server_removed highCCE-82436-7

Uninstall tftp-server Package

Rule IDxccdf_org.ssgproject.content_rule_package_tftp-server_removed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_tftp-server_removed:def:1
Time2022-11-07T15:05:53+00:00
Severityhigh
Identifiers and References

Identifiers:  CCE-82436-7

References:  BP28(R1), 11, 12, 14, 15, 3, 8, 9, APO13.01, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS01.04, DSS05.02, DSS05.03, DSS05.05, DSS06.06, CCI-000318, CCI-000366, CCI-000368, CCI-001812, CCI-001813, CCI-001814, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.2.1, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.2.1, A.6.2.2, A.9.1.2, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.IP-1, PR.PT-3, PR.PT-4, SRG-OS-000480-GPOS-00227, RHEL-08-040190, 2.2.9, SV-230533r627750_rule

Description
The tftp-server package can be removed with the following command:
 $ sudo yum erase tftp-server
Rationale
Removing the tftp-server package decreases the risk of the accidental (or intentional) activation of tftp services.

If TFTP is required for operational support (such as transmission of router configurations), its use must be documented with the Information Systems Securty Manager (ISSM), restricted to only authorized personnel, and have access control rules established.
OVAL test results details

package tftp-server is removed  oval:ssg-test_package_tftp-server_removed:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_tftp-server_removed:obj:1 of type rpminfo_object
Name
tftp-server
Remove tftp Daemonxccdf_org.ssgproject.content_rule_package_tftp_removed lowCCE-83590-0

Remove tftp Daemon

Rule IDxccdf_org.ssgproject.content_rule_package_tftp_removed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_tftp_removed:def:1
Time2022-11-07T15:05:53+00:00
Severitylow
Identifiers and References

Identifiers:  CCE-83590-0

References:  BP28(R1), 2.3.6

Description
Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot files between systems. TFTP does not support authentication and can be easily hacked. The package tftp is a client program that allows for connections to a tftp server.
Rationale
It is recommended that TFTP be removed, unless there is a specific need for TFTP (such as a boot server). In that case, use extreme caution when configuring the services.
OVAL test results details

package tftp is removed  oval:ssg-test_package_tftp_removed:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_tftp_removed:obj:1 of type rpminfo_object
Name
tftp
Uninstall squid Packagexccdf_org.ssgproject.content_rule_package_squid_removed unknownCCE-82189-2

Uninstall squid Package

Rule IDxccdf_org.ssgproject.content_rule_package_squid_removed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_squid_removed:def:1
Time2022-11-07T15:05:53+00:00
Severityunknown
Identifiers and References

Identifiers:  CCE-82189-2

References:  2.2.13

Description
The squid package can be removed with the following command:
 $ sudo yum erase squid
Rationale
If there is no need to make the proxy server software available, removing it provides a safeguard against its activation.
OVAL test results details

package squid is removed  oval:ssg-test_package_squid_removed:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_squid_removed:obj:1 of type rpminfo_object
Name
squid
Uninstall Samba Packagexccdf_org.ssgproject.content_rule_package_samba_removed unknownCCE-85978-5

Uninstall Samba Package

Rule IDxccdf_org.ssgproject.content_rule_package_samba_removed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_samba_removed:def:1
Time2022-11-07T15:05:53+00:00
Severityunknown
Identifiers and References

Identifiers:  CCE-85978-5

References:  2.2.12

Description
The samba package can be removed with the following command:
 $ sudo yum erase samba
Rationale
If there is no need to make the Samba software available, removing it provides a safeguard against its activation.
OVAL test results details

package samba is removed  oval:ssg-test_package_samba_removed:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_samba_removed:obj:1 of type rpminfo_object
Name
samba
Uninstall net-snmp Packagexccdf_org.ssgproject.content_rule_package_net-snmp_removed unknownCCE-85980-1

Uninstall net-snmp Package

Rule IDxccdf_org.ssgproject.content_rule_package_net-snmp_removed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_net-snmp_removed:def:1
Time2022-11-07T15:05:53+00:00
Severityunknown
Identifiers and References

Identifiers:  CCE-85980-1

References:  2.2.14

Description
The net-snmp package provides the snmpd service. The net-snmp package can be removed with the following command:
$ sudo yum erase net-snmp
Rationale
If there is no need to run SNMP server software, removing the package provides a safeguard against its activation.
OVAL test results details

package net-snmp is removed  oval:ssg-test_package_net-snmp_removed:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_net-snmp_removed:obj:1 of type rpminfo_object
Name
net-snmp
Set SSH Client Alive Count Maxxccdf_org.ssgproject.content_rule_sshd_set_keepalive mediumCCE-80907-9

Set SSH Client Alive Count Max

Rule IDxccdf_org.ssgproject.content_rule_sshd_set_keepalive
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sshd_set_keepalive:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80907-9

References:  BP28(R29), 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8, 5.5.6, APO13.01, BAI03.01, BAI03.02, BAI03.03, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.1.11, CCI-000879, CCI-001133, CCI-002361, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, A.12.4.1, A.12.4.3, A.14.1.1, A.14.2.1, A.14.2.5, A.18.1.4, A.6.1.2, A.6.1.5, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.3, CIP-007-3 R5.1, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, AC-2(5), AC-12, AC-17(a), SC-10, CM-6(a), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.IP-2, Req-8.1.8, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109, SRG-OS-000480-VMM-002000, 5.2.20

Description
The SSH server sends at most ClientAliveCountMax messages during a SSH session and waits for a response from the SSH client. The option ClientAliveInterval configures timeout after each ClientAliveCountMax message. If the SSH server does not receive a response from the client, then the connection is considered idle and terminated. For SSH earlier than v8.2, a ClientAliveCountMax value of 0 causes an idle timeout precisely when the ClientAliveInterval is set. Starting with v8.2, a value of 0 disables the timeout functionality completely. If the option is set to a number greater than 0, then the idle session will be disconnected after ClientAliveInterval * ClientAliveCountMax seconds.
Rationale
This ensures a user login will be terminated as soon as the ClientAliveInterval is reached.
OVAL test results details

Verify if Profile set Value sshd_required as not required  oval:ssg-test_sshd_not_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh-server is removed  oval:ssg-test_package_openssh-server_removed:tst:1  false

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
openssh-serverx86_64(none)6.el8_4.28.0p10:8.0p1-6.el8_4.2199e2f91fd431d51openssh-server-0:8.0p1-6.el8_4.2.x86_64

Verify if Profile set Value sshd_required as required  oval:ssg-test_sshd_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh-server is installed  oval:ssg-test_package_openssh-server_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
openssh-serverx86_64(none)6.el8_4.28.0p10:8.0p1-6.el8_4.2199e2f91fd431d51openssh-server-0:8.0p1-6.el8_4.2.x86_64

Tests the value of the ClientAliveCountMax setting in the /etc/ssh/sshd_config file  oval:ssg-test_sshd_clientalivecountmax:tst:1  true

Following items have been found on the system:
PathContent
/etc/ssh/sshd_configClientAliveCountMax 0
Set SSH Idle Timeout Intervalxccdf_org.ssgproject.content_rule_sshd_set_idle_timeout mediumCCE-80906-1

Set SSH Idle Timeout Interval

Rule IDxccdf_org.ssgproject.content_rule_sshd_set_idle_timeout
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sshd_set_idle_timeout:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80906-1

References:  BP28(R29), 1, 12, 13, 14, 15, 16, 18, 3, 5, 7, 8, 5.5.6, APO13.01, BAI03.01, BAI03.02, BAI03.03, DSS01.03, DSS03.05, DSS05.04, DSS05.05, DSS05.07, DSS05.10, DSS06.03, DSS06.10, 3.1.11, CCI-000879, CCI-001133, CCI-002361, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 6.2, A.12.4.1, A.12.4.3, A.14.1.1, A.14.2.1, A.14.2.5, A.18.1.4, A.6.1.2, A.6.1.5, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.4, A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.2, A.9.4.3, A.9.4.4, A.9.4.5, CIP-004-6 R2.2.3, CIP-007-3 R5.1, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, CM-6(a), AC-17(a), AC-2(5), AC-12, AC-17(a), SC-10, CM-6(a), DE.CM-1, DE.CM-3, PR.AC-1, PR.AC-4, PR.AC-6, PR.AC-7, PR.IP-2, Req-8.1.8, SRG-OS-000126-GPOS-00066, SRG-OS-000163-GPOS-00072, SRG-OS-000279-GPOS-00109, SRG-OS-000395-GPOS-00175, SRG-OS-000480-VMM-002000, RHEL-08-010201, 5.2.20, SV-244525r743824_rule

Description
SSH allows administrators to set an idle timeout interval. After this interval has passed, the idle user will be automatically logged out.

To set an idle timeout interval, edit the following line in /etc/ssh/sshd_config as follows:
ClientAliveInterval 900


The timeout interval is given in seconds. For example, have a timeout of 10 minutes, set interval to 600.

If a shorter timeout has already been set for the login shell, that value will preempt any SSH setting made in /etc/ssh/sshd_config. Keep in mind that some processes may stop SSH from correctly detecting that the user is idle.
Rationale
Terminating an idle ssh session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management session enabled on the console or console port that has been let unattended.
Warnings
warning  SSH disconnecting idle clients will not have desired effect without also configuring ClientAliveCountMax in the SSH service configuration.
warning  Following conditions may prevent the SSH session to time out:
  • Remote processes on the remote machine generates output. As the output has to be transferred over the network to the client, the timeout is reset every time such transfer happens.
  • Any scp or sftp activity by the same user to the host resets the timeout.
OVAL test results details

Verify if Profile set Value sshd_required as not required  oval:ssg-test_sshd_not_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh-server is removed  oval:ssg-test_package_openssh-server_removed:tst:1  false

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
openssh-serverx86_64(none)6.el8_4.28.0p10:8.0p1-6.el8_4.2199e2f91fd431d51openssh-server-0:8.0p1-6.el8_4.2.x86_64

Verify if Profile set Value sshd_required as required  oval:ssg-test_sshd_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh-server is installed  oval:ssg-test_package_openssh-server_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
openssh-serverx86_64(none)6.el8_4.28.0p10:8.0p1-6.el8_4.2199e2f91fd431d51openssh-server-0:8.0p1-6.el8_4.2.x86_64

timeout is configured  oval:ssg-test_sshd_idle_timeout:tst:1  true

Following items have been found on the system:
PathContent
/etc/ssh/sshd_configClientAliveInterval 180 #ClientAliveCountMax 3
Disable Host-Based Authenticationxccdf_org.ssgproject.content_rule_disable_host_auth mediumCCE-80786-7

Disable Host-Based Authentication

Rule IDxccdf_org.ssgproject.content_rule_disable_host_auth
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-disable_host_auth:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80786-7

References:  11, 12, 14, 15, 16, 18, 3, 5, 9, 5.5.6, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.03, DSS06.06, 3.1.12, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, 0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.2.3, CIP-004-6 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.2, CIP-007-3 R5.2, CIP-007-3 R5.3.1, CIP-007-3 R5.3.2, CIP-007-3 R5.3.3, AC-3, AC-17(a), CM-7(a), CM-7(b), CM-6(a), PR.AC-4, PR.AC-6, PR.IP-1, PR.PT-3, FIA_UAU.1, SRG-OS-000480-GPOS-00229, SRG-OS-000480-VMM-002000, 5.2.8

Description
SSH's cryptographic host-based authentication is more secure than .rhosts authentication. However, it is not recommended that hosts unilaterally trust one another, even within an organization.
The default SSH configuration disables host-based authentication. The appropriate configuration is used if no value is set for HostbasedAuthentication.
To explicitly disable host-based authentication, add or correct the following line in /etc/ssh/sshd_config:
HostbasedAuthentication no
Rationale
SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.
OVAL test results details

Verify if Profile set Value sshd_required as not required  oval:ssg-test_sshd_not_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh-server is removed  oval:ssg-test_package_openssh-server_removed:tst:1  false

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
openssh-serverx86_64(none)6.el8_4.28.0p10:8.0p1-6.el8_4.2199e2f91fd431d51openssh-server-0:8.0p1-6.el8_4.2.x86_64

Verify if Profile set Value sshd_required as required  oval:ssg-test_sshd_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh-server is installed  oval:ssg-test_package_openssh-server_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
openssh-serverx86_64(none)6.el8_4.28.0p10:8.0p1-6.el8_4.2199e2f91fd431d51openssh-server-0:8.0p1-6.el8_4.2.x86_64

tests the value of HostbasedAuthentication setting in the /etc/ssh/sshd_config file  oval:ssg-test_disable_host_auth:tst:1  true

Following items have been found on the system:
PathContent
/etc/ssh/sshd_configHostbasedAuthentication no
Disable SSH Access via Empty Passwordsxccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords highCCE-80896-4

Disable SSH Access via Empty Passwords

Rule IDxccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sshd_disable_empty_passwords:def:1
Time2022-11-07T15:05:53+00:00
Severityhigh
Identifiers and References

Identifiers:  CCE-80896-4

References:  NT007(R17), 11, 12, 13, 14, 15, 16, 18, 3, 5, 9, 5.5.6, APO01.06, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.02, DSS06.03, DSS06.06, 3.1.1, 3.1.5, CCI-000366, CCI-000766, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 5.2, SR 7.6, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.12.1.2, A.12.5.1, A.12.6.2, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-17(a), CM-7(a), CM-7(b), CM-6(a), PR.AC-4, PR.AC-6, PR.DS-5, PR.IP-1, PR.PT-3, FIA_UAU.1, SRG-OS-000106-GPOS-00053, SRG-OS-000480-GPOS-00229, SRG-OS-000480-GPOS-00227, SRG-OS-000480-VMM-002000, RHEL-08-020330, 5.2.9, SV-230380r743993_rule

Description
Disallow SSH login with empty passwords. The default SSH configuration disables logins with empty passwords. The appropriate configuration is used if no value is set for PermitEmptyPasswords.
To explicitly disallow SSH login from accounts with empty passwords, add or correct the following line in /etc/ssh/sshd_config:
PermitEmptyPasswords no
Any accounts with empty passwords should be disabled immediately, and PAM configuration should prevent users from being able to assign themselves empty passwords.
Rationale
Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere.
OVAL test results details

Verify if Profile set Value sshd_required as not required  oval:ssg-test_sshd_not_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh-server is removed  oval:ssg-test_package_openssh-server_removed:tst:1  false

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
openssh-serverx86_64(none)6.el8_4.28.0p10:8.0p1-6.el8_4.2199e2f91fd431d51openssh-server-0:8.0p1-6.el8_4.2.x86_64

Verify if Profile set Value sshd_required as required  oval:ssg-test_sshd_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh-server is installed  oval:ssg-test_package_openssh-server_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
openssh-serverx86_64(none)6.el8_4.28.0p10:8.0p1-6.el8_4.2199e2f91fd431d51openssh-server-0:8.0p1-6.el8_4.2.x86_64

tests the value of PermitEmptyPasswords setting in the /etc/ssh/sshd_config file  oval:ssg-test_sshd_disable_empty_passwords:tst:1  true

Following items have been found on the system:
PathContent
/etc/ssh/sshd_configPermitEmptyPasswords no
Disable SSH Support for .rhosts Filesxccdf_org.ssgproject.content_rule_sshd_disable_rhosts mediumCCE-80899-8

Disable SSH Support for .rhosts Files

Rule IDxccdf_org.ssgproject.content_rule_sshd_disable_rhosts
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sshd_disable_rhosts:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80899-8

References:  11, 12, 14, 15, 16, 18, 3, 5, 9, 5.5.6, BAI10.01, BAI10.02, BAI10.03, BAI10.05, DSS05.02, DSS05.04, DSS05.05, DSS05.07, DSS06.03, DSS06.06, 3.1.12, CCI-000366, 4.3.3.2.2, 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4, 4.3.4.3.2, 4.3.4.3.3, SR 1.1, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, A.6.1.2, A.7.1.1, A.9.1.2, A.9.2.1, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, AC-17(a), CM-7(a), CM-7(b), CM-6(a), PR.AC-4, PR.AC-6, PR.IP-1, PR.PT-3, FIA_UAU.1, SRG-OS-000480-GPOS-00227, SRG-OS-000107-VMM-000530, 5.2.11

Description
SSH can emulate the behavior of the obsolete rsh command in allowing users to enable insecure access to their accounts via .rhosts files.
The default SSH configuration disables support for .rhosts. The appropriate configuration is used if no value is set for IgnoreRhosts.
To explicitly disable support for .rhosts files, add or correct the following line in /etc/ssh/sshd_config:
IgnoreRhosts yes
Rationale
SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts.
OVAL test results details

Verify if Profile set Value sshd_required as not required  oval:ssg-test_sshd_not_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh-server is removed  oval:ssg-test_package_openssh-server_removed:tst:1  false

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
openssh-serverx86_64(none)6.el8_4.28.0p10:8.0p1-6.el8_4.2199e2f91fd431d51openssh-server-0:8.0p1-6.el8_4.2.x86_64

Verify if Profile set Value sshd_required as required  oval:ssg-test_sshd_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh-server is installed  oval:ssg-test_package_openssh-server_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
openssh-serverx86_64(none)6.el8_4.28.0p10:8.0p1-6.el8_4.2199e2f91fd431d51openssh-server-0:8.0p1-6.el8_4.2.x86_64

tests the value of IgnoreRhosts setting in the /etc/ssh/sshd_config file  oval:ssg-test_sshd_disable_rhosts:tst:1  true

Following items have been found on the system:
PathContent
/etc/ssh/sshd_configIgnoreRhosts yes
Disable SSH TCP Forwardingxccdf_org.ssgproject.content_rule_sshd_disable_tcp_forwarding mediumCCE-83301-2

Disable SSH TCP Forwarding

Rule IDxccdf_org.ssgproject.content_rule_sshd_disable_tcp_forwarding
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sshd_disable_tcp_forwarding:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83301-2

References:  5.2.13

Description
The AllowTcpForwarding parameter specifies whether TCP forwarding is permitted. To disable TCP forwarding, add or correct the following line in /etc/ssh/sshd_config:
AllowTcpForwarding no
Rationale
Leaving port forwarding enabled can expose the organization to security risks and back-doors.
OVAL test results details

Verify if Profile set Value sshd_required as not required  oval:ssg-test_sshd_not_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh-server is removed  oval:ssg-test_package_openssh-server_removed:tst:1  false

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
openssh-serverx86_64(none)6.el8_4.28.0p10:8.0p1-6.el8_4.2199e2f91fd431d51openssh-server-0:8.0p1-6.el8_4.2.x86_64

Verify if Profile set Value sshd_required as required  oval:ssg-test_sshd_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh-server is installed  oval:ssg-test_package_openssh-server_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
openssh-serverx86_64(none)6.el8_4.28.0p10:8.0p1-6.el8_4.2199e2f91fd431d51openssh-server-0:8.0p1-6.el8_4.2.x86_64

tests the value of AllowTcpForwarding setting in the /etc/ssh/sshd_config file  oval:ssg-test_sshd_disable_tcp_forwarding:tst:1  true

Following items have been found on the system:
PathContent
/etc/ssh/sshd_configAllowTcpForwarding no
Disable X11 Forwardingxccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding mediumCCE-83360-8

Disable X11 Forwarding

Rule IDxccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sshd_disable_x11_forwarding:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83360-8

References:  CCI-000366, CM-6(b), SRG-OS-000480-GPOS-00227, RHEL-08-040340, 5.2.12, SV-230555r627750_rule

Description
The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections. SSH has the capability to encrypt remote X11 connections when SSH's X11Forwarding option is enabled.
The default SSH configuration disables X11Forwarding. The appropriate configuration is used if no value is set for X11Forwarding.
To explicitly disable X11 Forwarding, add or correct the following line in /etc/ssh/sshd_config:
X11Forwarding no
Rationale
Disable X11 forwarding unless there is an operational requirement to use X11 applications directly. There is a small risk that the remote X11 servers of users who are logged in via SSH with X11 forwarding could be compromised by other users on the X11 server. Note that even if X11 forwarding is disabled, users can always install their own forwarders.
OVAL test results details

Verify if Profile set Value sshd_required as not required  oval:ssg-test_sshd_not_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh-server is removed  oval:ssg-test_package_openssh-server_removed:tst:1  false

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
openssh-serverx86_64(none)6.el8_4.28.0p10:8.0p1-6.el8_4.2199e2f91fd431d51openssh-server-0:8.0p1-6.el8_4.2.x86_64

Verify if Profile set Value sshd_required as required  oval:ssg-test_sshd_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh-server is installed  oval:ssg-test_package_openssh-server_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
openssh-serverx86_64(none)6.el8_4.28.0p10:8.0p1-6.el8_4.2199e2f91fd431d51openssh-server-0:8.0p1-6.el8_4.2.x86_64

tests the value of X11Forwarding setting in the /etc/ssh/sshd_config file  oval:ssg-test_sshd_disable_x11_forwarding:tst:1  true

Following items have been found on the system:
PathContent
/etc/ssh/sshd_configX11Forwarding no
Do Not Allow SSH Environment Optionsxccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env mediumCCE-80903-8

Do Not Allow SSH Environment Options

Rule IDxccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sshd_do_not_permit_user_env:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-80903-8

References:  11, 3, 9, 5.5.6, BAI10.01, BAI10.02, BAI10.03, BAI10.05, 3.1.12, CCI-000366, 164.308(a)(4)(i), 164.308(b)(1), 164.308(b)(3), 164.310(b), 164.312(e)(1), 164.312(e)(2)(ii), 4.3.4.3.2, 4.3.4.3.3, SR 7.6, A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4, AC-17(a), CM-7(a), CM-7(b), CM-6(a), PR.IP-1, SRG-OS-000480-GPOS-00229, SRG-OS-000480-VMM-002000, RHEL-08-010830, 5.2.10, SV-230330r646870_rule

Description
Ensure that users are not able to override environment variables of the SSH daemon.
The default SSH configuration disables environment processing. The appropriate configuration is used if no value is set for PermitUserEnvironment.
To explicitly disable Environment options, add or correct the following /etc/ssh/sshd_config:
PermitUserEnvironment no
Rationale
SSH environment options potentially allow users to bypass access restriction in some configurations.
OVAL test results details

Verify if Profile set Value sshd_required as not required  oval:ssg-test_sshd_not_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh-server is removed  oval:ssg-test_package_openssh-server_removed:tst:1  false

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
openssh-serverx86_64(none)6.el8_4.28.0p10:8.0p1-6.el8_4.2199e2f91fd431d51openssh-server-0:8.0p1-6.el8_4.2.x86_64

Verify if Profile set Value sshd_required as required  oval:ssg-test_sshd_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh-server is installed  oval:ssg-test_package_openssh-server_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
openssh-serverx86_64(none)6.el8_4.28.0p10:8.0p1-6.el8_4.2199e2f91fd431d51openssh-server-0:8.0p1-6.el8_4.2.x86_64

tests the value of PermitUserEnvironment setting in the /etc/ssh/sshd_config file  oval:ssg-test_sshd_do_not_permit_user_env:tst:1  true

Following items have been found on the system:
PathContent
/etc/ssh/sshd_configPermitUserEnvironment no
Enable PAMxccdf_org.ssgproject.content_rule_sshd_enable_pam mediumCCE-86721-8

Enable PAM

Rule IDxccdf_org.ssgproject.content_rule_sshd_enable_pam
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sshd_enable_pam:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-86721-8

References:  CCI-000877, SRG-OS-000125-GPOS-00065, 5.2.6

Description
UsePAM Enables the Pluggable Authentication Module interface. If set to “yes” this will enable PAM authentication using ChallengeResponseAuthentication and PasswordAuthentication in addition to PAM account and session module processing for all authentication types. To enable PAM authentication, add or correct the following line in /etc/ssh/sshd_config:
UsePAM yes
Rationale
When UsePAM is set to yes, PAM runs through account and session types properly. This is important if you want to restrict access to services based off of IP, time or other factors of the account. Additionally, you can make sure users inherit certain environment variables on login or disallow access to the server.
OVAL test results details

Verify if Profile set Value sshd_required as not required  oval:ssg-test_sshd_not_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh-server is removed  oval:ssg-test_package_openssh-server_removed:tst:1  false

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
openssh-serverx86_64(none)6.el8_4.28.0p10:8.0p1-6.el8_4.2199e2f91fd431d51openssh-server-0:8.0p1-6.el8_4.2.x86_64

Verify if Profile set Value sshd_required as required  oval:ssg-test_sshd_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh-server is installed  oval:ssg-test_package_openssh-server_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
openssh-serverx86_64(none)6.el8_4.28.0p10:8.0p1-6.el8_4.2199e2f91fd431d51openssh-server-0:8.0p1-6.el8_4.2.x86_64

tests the value of UsePAM setting in the /etc/ssh/sshd_config file  oval:ssg-test_sshd_enable_pam:tst:1  true

Following items have been found on the system:
PathContent
/etc/ssh/sshd_configUsePAM yes
Set SSH Daemon LogLevel to VERBOSExccdf_org.ssgproject.content_rule_sshd_set_loglevel_verbose mediumCCE-82420-1

Set SSH Daemon LogLevel to VERBOSE

Rule IDxccdf_org.ssgproject.content_rule_sshd_set_loglevel_verbose
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sshd_set_loglevel_verbose:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82420-1

References:  CCI-000067, CIP-007-3 R7.1, AC-17(a), AC-17(1), CM-6(a), SRG-OS-000032-GPOS-00013, 5.2.5

Description
The VERBOSE parameter configures the SSH daemon to record login and logout activity. To specify the log level in SSH, add or correct the following line in /etc/ssh/sshd_config:
LogLevel VERBOSE
Rationale
SSH provides several logging levels with varying amounts of verbosity. DEBUG is specifically not recommended other than strictly for debugging SSH communications since it provides so much data that it is difficult to identify important security information. INFO or VERBOSE level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it is important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field.
OVAL test results details

Verify if Profile set Value sshd_required as not required  oval:ssg-test_sshd_not_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh-server is removed  oval:ssg-test_package_openssh-server_removed:tst:1  false

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
openssh-serverx86_64(none)6.el8_4.28.0p10:8.0p1-6.el8_4.2199e2f91fd431d51openssh-server-0:8.0p1-6.el8_4.2.x86_64

Verify if Profile set Value sshd_required as required  oval:ssg-test_sshd_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh-server is installed  oval:ssg-test_package_openssh-server_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
openssh-serverx86_64(none)6.el8_4.28.0p10:8.0p1-6.el8_4.2199e2f91fd431d51openssh-server-0:8.0p1-6.el8_4.2.x86_64

tests the value of LogLevel setting in the /etc/ssh/sshd_config file  oval:ssg-test_sshd_set_loglevel_verbose:tst:1  true

Following items have been found on the system:
PathContent
/etc/ssh/sshd_configLogLevel VERBOSE
Set SSH authentication attempt limitxccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries mediumCCE-83500-9

Set SSH authentication attempt limit

Rule IDxccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sshd_set_max_auth_tries:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83500-9

References:  0421, 0422, 0431, 0974, 1173, 1401, 1504, 1505, 1546, 1557, 1558, 1559, 1560, 1561, 5.2.16

Description
The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. Once the number of failures reaches half this value, additional failures are logged. to set MaxAUthTries edit /etc/ssh/sshd_config as follows:
MaxAuthTries 4
Rationale
Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server.
OVAL test results details

Verify if Profile set Value sshd_required as not required  oval:ssg-test_sshd_not_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh-server is removed  oval:ssg-test_package_openssh-server_removed:tst:1  false

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
openssh-serverx86_64(none)6.el8_4.28.0p10:8.0p1-6.el8_4.2199e2f91fd431d51openssh-server-0:8.0p1-6.el8_4.2.x86_64

Verify if Profile set Value sshd_required as required  oval:ssg-test_sshd_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh-server is installed  oval:ssg-test_package_openssh-server_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
openssh-serverx86_64(none)6.el8_4.28.0p10:8.0p1-6.el8_4.2199e2f91fd431d51openssh-server-0:8.0p1-6.el8_4.2.x86_64

maxauthtries is configured  oval:ssg-test_sshd_max_auth_tries:tst:1  true

Following items have been found on the system:
PathContent
/etc/ssh/sshd_configMaxAuthTries 4
Set SSH MaxSessions limitxccdf_org.ssgproject.content_rule_sshd_set_max_sessions mediumCCE-83357-4

Set SSH MaxSessions limit

Rule IDxccdf_org.ssgproject.content_rule_sshd_set_max_sessions
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sshd_set_max_sessions:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-83357-4

References:  5.2.18

Description
The MaxSessions parameter specifies the maximum number of open sessions permitted from a given connection. To set MaxSessions edit /etc/ssh/sshd_config as follows:
MaxSessions 10
Rationale
To protect a system from denial of service due to a large number of concurrent sessions, use the rate limiting function of MaxSessions to protect availability of sshd logins and prevent overwhelming the daemon.
OVAL test results details

Verify if Profile set Value sshd_required as not required  oval:ssg-test_sshd_not_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh-server is removed  oval:ssg-test_package_openssh-server_removed:tst:1  false

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
openssh-serverx86_64(none)6.el8_4.28.0p10:8.0p1-6.el8_4.2199e2f91fd431d51openssh-server-0:8.0p1-6.el8_4.2.x86_64

Verify if Profile set Value sshd_required as required  oval:ssg-test_sshd_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh-server is installed  oval:ssg-test_package_openssh-server_installed:tst:1  true

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
openssh-serverx86_64(none)6.el8_4.28.0p10:8.0p1-6.el8_4.2199e2f91fd431d51openssh-server-0:8.0p1-6.el8_4.2.x86_64

maxsessions is configured  oval:ssg-test_sshd_max_sessions:tst:1  true

Following items have been found on the system:
PathContent
/etc/ssh/sshd_configMaxSessions 10
Ensure SSH MaxStartups is configuredxccdf_org.ssgproject.content_rule_sshd_set_maxstartups mediumCCE-90718-8

Ensure SSH MaxStartups is configured

Rule IDxccdf_org.ssgproject.content_rule_sshd_set_maxstartups
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-sshd_set_maxstartups:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-90718-8

References:  5.2.17

Description
The MaxStartups parameter specifies the maximum number of concurrent unauthenticated connections to the SSH daemon. Additional connections will be dropped until authentication succeeds or the LoginGraceTime expires for a connection. To confgure MaxStartups, you should add or correct the following line in the /etc/ssh/sshd_config file:
MaxStartups 10:30:60
CIS recommends a MaxStartups value of '10:30:60', or more restrictive where dictated by site policy.
Rationale
To protect a system from denial of service due to a large number of pending authentication connection attempts, use the rate limiting function of MaxStartups to protect availability of sshd logins and prevent overwhelming the daemon.
OVAL test results details

Verify if Profile set Value sshd_required as not required  oval:ssg-test_sshd_not_required:tst:1  false

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

Verify if Value of sshd_required is the default  oval:ssg-test_sshd_requirement_unset:tst:1  true

Following items have been found on the system:
Var refValue
oval:ssg-sshd_required:var:10

package openssh-server is removed  oval:ssg-test_package_openssh-server_removed:tst:1  false

Following items have been found on the system:
NameArchEpochReleaseVersionEvrSignature keyidExtended name
openssh-serverx86_64(none)6.el8_4.28.0p10:8.0p1-6.el8_4.2199e2f91fd431d51openssh-server-0:8.0p1-6.el8_4.2.x86_64

SSH MaxStartups start parameter is less than or equal to 10  oval:ssg-tst_maxstartups_start_parameter:tst:1  true

Following items have been found on the system:
PathContent
/etc/ssh/sshd_configMaxStartups 10:30:60

SSH MaxStartups rate parameter is greater than or equal to 30  oval:ssg-tst_maxstartups_rate_parameter:tst:1  true

Following items have been found on the system:
PathContent
/etc/ssh/sshd_configMaxStartups 10:30:60

SSH MaxStartups full parameter is less than or equal to 100  oval:ssg-tst_maxstartups_full_parameter:tst:1  true

Following items have been found on the system:
PathContent
/etc/ssh/sshd_configMaxStartups 10:30:60
Verify Group Who Owns SSH Server config filexccdf_org.ssgproject.content_rule_file_groupowner_sshd_config mediumCCE-82901-0

Verify Group Who Owns SSH Server config file

Rule IDxccdf_org.ssgproject.content_rule_file_groupowner_sshd_config
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_groupowner_sshd_config:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82901-0

References:  12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-17(a), CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.2.1

Description
To properly set the group owner of /etc/ssh/sshd_config, run the command:
$ sudo chgrp root /etc/ssh/sshd_config
Rationale
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.
OVAL test results details

Testing group ownership of /etc/ssh/sshd_config  oval:ssg-test_file_groupowner_sshd_config_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_groupowner_sshd_config_0:obj:1 of type file_object
FilepathFilterFilter
/etc/ssh/sshd_configoval:ssg-symlink_file_groupowner_sshd_config_uid_0:ste:1oval:ssg-state_file_groupowner_sshd_config_gid_0_0:ste:1
Verify Owner on SSH Server config filexccdf_org.ssgproject.content_rule_file_owner_sshd_config mediumCCE-82898-8

Verify Owner on SSH Server config file

Rule IDxccdf_org.ssgproject.content_rule_file_owner_sshd_config
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_owner_sshd_config:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82898-8

References:  12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-17(a), CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.2.1

Description
To properly set the owner of /etc/ssh/sshd_config, run the command:
$ sudo chown root /etc/ssh/sshd_config 
Rationale
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.
OVAL test results details

Testing user ownership of /etc/ssh/sshd_config  oval:ssg-test_file_owner_sshd_config_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_owner_sshd_config_0:obj:1 of type file_object
FilepathFilterFilter
/etc/ssh/sshd_configoval:ssg-symlink_file_owner_sshd_config_uid_0:ste:1oval:ssg-state_file_owner_sshd_config_uid_0_0:ste:1
Verify Permissions on SSH Server config filexccdf_org.ssgproject.content_rule_file_permissions_sshd_config mediumCCE-82894-7

Verify Permissions on SSH Server config file

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_sshd_config
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_permissions_sshd_config:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82894-7

References:  12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-17(a), CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, 5.2.1

Description
To properly set the permissions of /etc/ssh/sshd_config, run the command:
$ sudo chmod 0600 /etc/ssh/sshd_config
Rationale
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.
OVAL test results details

Testing mode of /etc/ssh/sshd_config  oval:ssg-test_file_permissions_sshd_config_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_sshd_config_0:obj:1 of type file_object
FilepathFilterFilter
/etc/ssh/sshd_configoval:ssg-exclude_symlinks__sshd_config:ste:1oval:ssg-state_file_permissions_sshd_config_0_mode_0600or_stricter_:ste:1
Verify Permissions on SSH Server Public *.pub Key Filesxccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key mediumCCE-82428-4

Verify Permissions on SSH Server Public *.pub Key Files

Rule IDxccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-file_permissions_sshd_pub_key:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82428-4

References:  12, 13, 14, 15, 16, 18, 3, 5, APO01.06, DSS05.04, DSS05.07, DSS06.02, 3.1.13, 3.13.10, CCI-000366, 4.3.3.7.3, SR 2.1, SR 5.2, A.10.1.1, A.11.1.4, A.11.1.5, A.11.2.1, A.13.1.1, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3, A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, CIP-003-8 R5.1.1, CIP-003-8 R5.3, CIP-004-6 R2.3, CIP-007-3 R2.1, CIP-007-3 R2.2, CIP-007-3 R2.3, CIP-007-3 R5.1, CIP-007-3 R5.1.1, CIP-007-3 R5.1.2, AC-17(a), CM-6(a), AC-6(1), PR.AC-4, PR.DS-5, SRG-OS-000480-GPOS-00227, RHEL-08-010480, 5.2.3, SV-230286r627750_rule

Description
To properly set the permissions of /etc/ssh/*.pub, run the command:
$ sudo chmod 0644 /etc/ssh/*.pub
Rationale
If a public host key file is modified by an unauthorized user, the SSH service may be compromised.
OVAL test results details

Testing mode of /etc/ssh/  oval:ssg-test_file_permissions_sshd_pub_key_0:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-object_file_permissions_sshd_pub_key_0:obj:1 of type file_object
PathFilenameFilterFilter
/etc/ssh^.*\.pub$oval:ssg-exclude_symlinks__sshd_pub_key:ste:1oval:ssg-state_file_permissions_sshd_pub_key_0_mode_0644or_stricter_:ste:1
Remove the X Windows Package Groupxccdf_org.ssgproject.content_rule_package_xorg-x11-server-common_removed mediumCCE-82757-6

Remove the X Windows Package Group

Rule IDxccdf_org.ssgproject.content_rule_package_xorg-x11-server-common_removed
Result
pass
Multi-check ruleno
OVAL Definition IDoval:ssg-package_xorg-x11-server-common_removed:def:1
Time2022-11-07T15:05:53+00:00
Severitymedium
Identifiers and References

Identifiers:  CCE-82757-6

References:  12, 15, 8, APO13.01, DSS01.04, DSS05.02, DSS05.03, CCI-000366, 4.3.3.6.6, SR 1.13, SR 2.6, SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6, A.11.2.6, A.13.1.1, A.13.2.1, A.14.1.3, A.6.2.1, A.6.2.2, CM-7(a), CM-7(b), CM-6(a), PR.AC-3, PR.PT-4, SRG-OS-000480-GPOS-00227, 2.2.2

Description
By removing the xorg-x11-server-common package, the system no longer has X Windows installed. If X Windows is not installed then the system cannot boot into graphical user mode. This prevents the system from being accidentally or maliciously booted into a graphical.target mode. To do so, run the following command:
$ sudo yum groupremove base-x
$ sudo yum remove xorg-x11-server-common
Rationale
Unnecessary service packages must not be installed to decrease the attack surface of the system. X windows has a long history of security vulnerabilities and should not be installed unless approved and documented.
Warnings
warning  The installation and use of a Graphical User Interface (GUI) increases your attack vector and decreases your overall security posture. Removing the package xorg-x11-server-common package will remove the graphical target which might bring your system to an inconsistent state requiring additional configuration to access the system again. If a GUI is an operational requirement, a tailored profile that removes this rule should used before continuing installation.
OVAL test results details

package xorg-x11-server-common is removed  oval:ssg-test_package_xorg-x11-server-common_removed:tst:1  true

No items have been found conforming to the following objects:
Object oval:ssg-obj_test_package_xorg-x11-server-common_removed:obj:1 of type rpminfo_object
Name
xorg-x11-server-common
Scroll back to the first rule
Red Hat and Red Hat Enterprise Linux are either registered trademarks or trademarks of Red Hat, Inc. in the United States and other countries. All other names are registered trademarks or trademarks of their respective companies.